Transcript Document 7378839
COMP-11: Best practices for Deploying AppServer
™
and WebSpeed
™ Doug Merrett
Senior Solution Engineer Progress Software UK
Agenda
2 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Generic OpenEdge
®
Server Architecture
OpenEdge Server Host AdminServer Progress Explorer or Management Utilities Client Process Name Server ubroker.properties
OpenEdge Server Broker OpenEdge Server Agents/Servers
3 COMP-11: Best practices for Deploying AppServer and WebSpeed
Text Editor, MERGEPROP or Configuration Utilities
© 2007 Progress Software Corporation
WebSpeed OpenEdge Server Architecture
OpenEdge Server Host AdminServer Progress Explorer or Management Utilities WebSpeed Messenger Name Server ubroker.properties
WebSpeed Broker WebSpeed Agents
4 COMP-11: Best practices for Deploying AppServer and WebSpeed
Text Editor, MERGEPROP or Configuration Utilities
© 2007 Progress Software Corporation
AppServer OpenEdge Server Architecture
OpenEdge Server Host AdminServer Progress Explorer or Management Utilities Any Client, AIA,AIA/S or WSA Name Server ubroker.properties
AppServer Broker AppServer Servers
5 COMP-11: Best practices for Deploying AppServer and WebSpeed
Text Editor, MERGEPROP or Configuration Utilities
© 2007 Progress Software Corporation
General Round Trip for a Request
Step 1 Step 2 Name Server Step 0 Client Step 3 Step 4 Step 5 Step 6 Broker Agents or Servers
6 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
General Round Trip for a Request
Step 0: Broker sends details to NameServer Step 1: Client requests Service from NameServer Step 2: NameServer responds with Broker details Step 3: Client connects to Broker and requests a Server to handle the request Step 4: Broker responds with Server’s details Step 5: Client connects with Server and passes request information Step 6: Server sends response © 2007 Progress Software Corporation 7 COMP-11: Best practices for Deploying AppServer and WebSpeed
Agenda
8 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Sample Deployment – Development
Developer’s PC Dev Tools Development Server Web Server & WebSpeed Messenger Web .PL & .R
WebSpeed AppServer Common .PL & .R
AppServ .PL & .R
Database
© 2007 Progress Software Corporation 9 COMP-11: Best practices for Deploying AppServer and WebSpeed
Sample Deployments – Production Intranet
User’s PC GUI/Char Client or Browser Production Server Web Server & WebSpeed Messenger Web .PL
WebSpeed AppServer Common .PL
AppServ .PL
Database
© 2007 Progress Software Corporation 10 COMP-11: Best practices for Deploying AppServer and WebSpeed
11
Sample Deployments – Production Internet
DMZ Internal Network Internet Name Server Internet Web Server WebSpeed Messenger WebSpeed Broker WebSpeed Agents Protocol: TCP Protocol: UDP © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Agenda
12 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Network Security
Data travelling over the internet may need to be protected from being read and/or modified The reason for network security is to keep the bad guys out, but still allow access from the public internet Remember that nothing is 100% secure, all we can do is make it as hard as possible to break our security © 2007 Progress Software Corporation 13 COMP-11: Best practices for Deploying AppServer and WebSpeed
Network Security – Border patrol
The first line of defence is the Firewall Firewalls 14 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Network Security – SSL
15 SSL (Secure Socket Layer) – a protocol to encrypt TCP/IP traffic over a network Used correctly, all the communications between the client and the server are encrypted and will not be able to be broken* Commonly used on Web sites that take credit card details SSL will slow down performance due to the overhead of encrypting and decrypting * In a reasonable timeframe – any encryption can be broken, it just depends on how long you wish to wait!
© 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Network Security – Progress specific
16 Only install AIA, AIA/S, WSA or WebSpeed Messenger on a machine the DMZ Do not use standard ports or “names” for the Name Server, Broker and Agents/Servers • Delete the WSBROKER1, ASBROKER1, NS1, etc • • Re-create the appropriate brokers, using non standard ports Don’t use port 5162 for the Name Server or call it NS1 for example © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Network Security – Progress specific
(cont) If you need the WebSpeed Messenger, AIA or WSA go to the www.progress.com/openedge/support web page, click on the “download” link on the bottom right of the page Use your usual ESD login or if required, there is an option to register for downloading Deployment Components © 2007 Progress Software Corporation 17 COMP-11: Best practices for Deploying AppServer and WebSpeed
Network Security – Progress specific
(cont) These components are on the OpenEdge media, so just use the control codes and serial number from the Download Centre if you have the CD for the required platform 18 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Agenda
19 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Machine Security
20 Limit physical access to the machine Minimise services running Change userid from root/administrator to stop people guessing the login id • Windows 2000 http://support.microsoft.com/kb/320053 • Windows 2003 http://support.microsoft.com/kb/816109 • Windows XP http://support.microsoft.com/kb/555441 © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Machine Security
(cont) 21 Regularly check machine logs for intrusion attempts (Firewall, DMZ server and Internal server) Implement password security routines that force regular changes and also enforce strong passwords (alpha-numeric) Apply the vendor patches (after thorough testing) Create users and groups that have limited access via the operating system to the Progress and application directories © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Agenda
22 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – Generic
Remove .R and .PL files from the DLC directory that are not required to run your application Remove the proDebugEnable, _debugEnable, proDebugConfig and _debugConfig commands from the DLC/bin directory of your production machine Use SSL with OpenEdge 10 to communicate between Progress components © 2007 Progress Software Corporation 23 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – Generic
(cont) This diagram comes from the
Core Business Services
manual in OpenEdge 10.1B and shows the communication streams of the OpenEdge environment that can be secured with the SSL protocol © 2007 Progress Software Corporation 24 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – Generic
(cont) Change Broker Owners 25 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Progress Infrastructure – Generic
(cont) Use the requireusername admingroup and to start the AdminServer
>proadsv -start -requireusername -admingroup Administrators OpenEdge Release 10.1B as of Wed Jan 10 12:21:31 EST 2007 >wtbman -start -name Exchange2007 OpenEdge Release 10.1B as of Wed Jan 10 12:21:31 EST 2007 Connecting to Progress AdminServer using rmi://localhost:20931/Chimera (8280) Searching for Exchange2007 (8288) Connecting to Exchange2007 (8276) User not authenticated (8304)
© 2007 Progress Software Corporation 26 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – Generic
(cont) Rename the WSA and AIA files to remove them from the URL. Makes it harder for hackers to find out what you are… WSA and AIA • Rename the directory to change it from WSA or AIA • Modify the WEB.XML files to suit © 2007 Progress Software Corporation 27 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – Generic
(cont) Rename the WebSpeed Messenger files to remove them from the URL. Makes it harder for hackers to find out what you are… WebSpeed Messenger • Windows, see the cgiip.wsc
file in C:\inetpub\scripts for information (do not use .wsc, choose another extension) • Unix/Linux, just rename the messenger example script wspd_cgi.sh
© 2007 Progress Software Corporation 28 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – AppServer
Make the AppServer Broker run without DEBUG 29 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Progress Infrastructure – WebSpeed
Make the WebSpeed Broker run in PRODUCTION mode 30 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Progress Infrastructure – WebSpeed
(cont) Make the WebSpeed Broker run without DEBUG 31 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Progress Infrastructure – WebSpeed
(cont)
Remove the “Generated by Webspeed” Message (OE10)
...
/* Output any pending messages */ IF available-messages(?) THEN output-messages("all", ?, "Messages:").
IF CAN-DO ("text/html*,text/x-server-parsed html*",output-content-type) THEN {&OUT} "~n~n~n":U.
OUTPUT {&WEBSTREAM} CLOSE.
...
© 2007 Progress Software Corporation 32 COMP-11: Best practices for Deploying AppServer and WebSpeed
Progress Infrastructure – WebSpeed
(cont) Minimize access to the WebSpeed Messenger Administration tool 33 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Progress Infrastructure – WebServices Adapter
Minimize access to the WebServices Adapter Administration tool 34 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Agenda
35 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Application Security – Generic
Use RCODEKEY and DBAUTHKEY to limit which .R’s can run against the database CLIENT-PRINCIPAL object Program “defensively” • • Make sure it fails in a secure manner Never accept parameters from a user without verification © 2007 Progress Software Corporation 36 COMP-11: Best practices for Deploying AppServer and WebSpeed
Application Security – WebSpeed
Modify WEB-DISP.P to: • Check using the user-id and limit access to programs • • Make sure they are logged on Remove access to DEBUG, PING and RESET Pass parameters in an “encrypted” manner Reconnect to the database if not connected © 2007 Progress Software Corporation 37 COMP-11: Best practices for Deploying AppServer and WebSpeed
Application Security – WebSpeed
(cont)
Old WEB-DISP.P code
...
AppProgram = (IF AppProgram = "debug":U THEN "webutil/debug.p":U ELSE (IF AppProgram = "ping":U THEN "webutil/ping.p":U ELSE (IF AppProgram = "reset":U THEN "webutil/reset.p":U ELSE AppProgram))).
RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.
...
© 2007 Progress Software Corporation 38 COMP-11: Best practices for Deploying AppServer and WebSpeed
39
Application Security – WebSpeed
(cont)
New SECURE-WEB-DISP.P code
...
vGUID = get-field ("GUID").
find first tState where tState.GUIDField = vGUID.
if not available tState then AppProgram = "logon.r".
else if not can-find (tProgs where tProgs.UsersID = tState.UsersID
and tProgs.ProgID = AppProgram) then AppProgram = "invalidprogram.r".
RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.
...
© 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Application Security – AppServer
Use the CONNECT or STARTUP procedure to set the available programs via the EXPORT method on the SESSION handle 40 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Application Security – AppServer
(cont)
Client Code for connecting to the AppServer
DEFINE VARIABLE hAppSrv AS HANDLE NO-UNDO.
DEFINE VARIABLE lOK AS LOGICAL NO-UNDO.
CREATE SERVER hAppSrv.
lOK = hAppSrv:CONNECT ("-AppService inventory", "FRED", "MYPASSWORD").
...
RUN XXX.P ON hAppSrv.
...
hAppSrv:DISCONNECT () NO-ERROR.
DELETE OBJECT hAppSrv NO-ERROR.
© 2007 Progress Software Corporation 41 COMP-11: Best practices for Deploying AppServer and WebSpeed
Application Security – AppServer
(cont)
Server Code in CONNECT.P
DEFINE INPUT PARAMETER pUserID AS CHARACTER.
DEFINE INPUT PARAMETER pPassWd AS CHARACTER.
DEFINE INPUT PARAMETER pASInfo AS CHARACTER.
find first tUsers where tUsers.UsersID = pUserID if available tUsers and tUsers.PassWd = pPassWd no-lock no-error.
then SESSION:EXPORT (tUsers.AllowedProgsList).
else RETURN ERROR "Invalid UserId and/or Password".
© 2007 Progress Software Corporation 42 COMP-11: Best practices for Deploying AppServer and WebSpeed
Agenda
43 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Database Security
This is the last line of defence Hopefully all the other techniques have managed to stop the intruders 44 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Database Security
(cont) 45 Encryption • • Individual fields via the ENCRYPT function Entire Database via operating system filesystem – Linux – dm-crypt and others – Solaris – zfs (one day) – IBM – Can’t find a reference – HP – Can’t find a reference – Windows – Many solutions • Hardware Device – Seagate Momentus ® 5400 FDE.2 © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
Database Security
(cont) CAN-READ, CAN-WRITE, etc • • Compile time security Dynamic queries use these fields, so may cause issues Disallow the “Blank” userid Use File system permissions on Database files to minimise access to users © 2007 Progress Software Corporation 46 COMP-11: Best practices for Deploying AppServer and WebSpeed
Database Security
(cont) If not needed, do not install SQL-92 Database facilities Set up SQL-92 Database security to minimise ODBC/JDBC access by using the GRANT command •
GRANT SELECT ON customer TO dbuser2;
47 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Agenda
48 AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed
In Summary
Always deploy for the Internet or Extranet using a Firewall and DMZ Secure your machines, application and network Turn off “Development” in WebSpeed 49 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Questions?
50 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Relevant Exchange Sessions
INT-10: COMP-1: DB-14: DEV-4: Understanding the AppServer, Inside-out Securing your web application against hackers OpenEdge Database Run-Time Security Revealed OpenEdge in an LDAP World © 2007 Progress Software Corporation 51 COMP-11: Best practices for Deploying AppServer and WebSpeed
For More Information, go to…
Documentation: • OpenEdge Getting Started: Core Business Services – Security and authentication • OpenEdge Revealed – Achieving Server Control with Fathom Management • OpenEdge Application Server: Administration © 2007 Progress Software Corporation 52 COMP-11: Best practices for Deploying AppServer and WebSpeed
For More Information, go to…
Progress Software Knowledgebase • • 19533 – Running WebSpeed in Production Mode P22658 – The new DATABASES environment variable for WebSpeed 53 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation
Thank you for your time
54 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation