Document 7378839

Download Report

Transcript Document 7378839

COMP-11: Best practices for Deploying AppServer

and WebSpeed

™ Doug Merrett

Senior Solution Engineer Progress Software UK

Agenda

2    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Generic OpenEdge

®

Server Architecture

OpenEdge Server Host AdminServer Progress Explorer or Management Utilities Client Process Name Server ubroker.properties

OpenEdge Server Broker OpenEdge Server Agents/Servers

3 COMP-11: Best practices for Deploying AppServer and WebSpeed

Text Editor, MERGEPROP or Configuration Utilities

© 2007 Progress Software Corporation

WebSpeed OpenEdge Server Architecture

OpenEdge Server Host AdminServer Progress Explorer or Management Utilities WebSpeed Messenger Name Server ubroker.properties

WebSpeed Broker WebSpeed Agents

4 COMP-11: Best practices for Deploying AppServer and WebSpeed

Text Editor, MERGEPROP or Configuration Utilities

© 2007 Progress Software Corporation

AppServer OpenEdge Server Architecture

OpenEdge Server Host AdminServer Progress Explorer or Management Utilities Any Client, AIA,AIA/S or WSA Name Server ubroker.properties

AppServer Broker AppServer Servers

5 COMP-11: Best practices for Deploying AppServer and WebSpeed

Text Editor, MERGEPROP or Configuration Utilities

© 2007 Progress Software Corporation

General Round Trip for a Request

Step 1 Step 2 Name Server Step 0 Client Step 3 Step 4 Step 5 Step 6 Broker Agents or Servers

6 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

General Round Trip for a Request

       Step 0: Broker sends details to NameServer Step 1: Client requests Service from NameServer Step 2: NameServer responds with Broker details Step 3: Client connects to Broker and requests a Server to handle the request Step 4: Broker responds with Server’s details Step 5: Client connects with Server and passes request information Step 6: Server sends response © 2007 Progress Software Corporation 7 COMP-11: Best practices for Deploying AppServer and WebSpeed

Agenda

8    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Sample Deployment – Development

Developer’s PC Dev Tools Development Server Web Server & WebSpeed Messenger Web .PL & .R

WebSpeed AppServer Common .PL & .R

AppServ .PL & .R

Database

© 2007 Progress Software Corporation 9 COMP-11: Best practices for Deploying AppServer and WebSpeed

Sample Deployments – Production Intranet

User’s PC GUI/Char Client or Browser Production Server Web Server & WebSpeed Messenger Web .PL

WebSpeed AppServer Common .PL

AppServ .PL

Database

© 2007 Progress Software Corporation 10 COMP-11: Best practices for Deploying AppServer and WebSpeed

11

Sample Deployments – Production Internet

DMZ Internal Network Internet Name Server Internet Web Server WebSpeed Messenger WebSpeed Broker WebSpeed Agents Protocol: TCP Protocol: UDP © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Agenda

12    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Network Security

  Data travelling over the internet may need to be protected from being read and/or modified  The reason for network security is to keep the bad guys out, but still allow access from the public internet Remember that nothing is 100% secure, all we can do is make it as hard as possible to break our security © 2007 Progress Software Corporation 13 COMP-11: Best practices for Deploying AppServer and WebSpeed

Network Security – Border patrol

 The first line of defence is the Firewall Firewalls 14 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Network Security – SSL

15  SSL (Secure Socket Layer) – a protocol to encrypt TCP/IP traffic over a network  Used correctly, all the communications between the client and the server are encrypted and will not be able to be broken*  Commonly used on Web sites that take credit card details  SSL will slow down performance due to the overhead of encrypting and decrypting * In a reasonable timeframe – any encryption can be broken, it just depends on how long you wish to wait!

© 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Network Security – Progress specific

16   Only install AIA, AIA/S, WSA or WebSpeed Messenger on a machine the DMZ Do not use standard ports or “names” for the Name Server, Broker and Agents/Servers • Delete the WSBROKER1, ASBROKER1, NS1, etc • • Re-create the appropriate brokers, using non standard ports Don’t use port 5162 for the Name Server or call it NS1 for example © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Network Security – Progress specific

(cont)  If you need the WebSpeed Messenger, AIA or WSA go to the www.progress.com/openedge/support web page, click on the “download” link on the bottom right of the page  Use your usual ESD login or if required, there is an option to register for downloading Deployment Components © 2007 Progress Software Corporation 17 COMP-11: Best practices for Deploying AppServer and WebSpeed

Network Security – Progress specific

(cont)  These components are on the OpenEdge media, so just use the control codes and serial number from the Download Centre if you have the CD for the required platform 18 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Agenda

19    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Machine Security

20    Limit physical access to the machine Minimise services running Change userid from root/administrator to stop people guessing the login id • Windows 2000 http://support.microsoft.com/kb/320053 • Windows 2003 http://support.microsoft.com/kb/816109 • Windows XP http://support.microsoft.com/kb/555441 © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Machine Security

(cont) 21   Regularly check machine logs for intrusion attempts (Firewall, DMZ server and Internal server)  Implement password security routines that force regular changes and also enforce strong passwords (alpha-numeric) Apply the vendor patches (after thorough testing)  Create users and groups that have limited access via the operating system to the Progress and application directories © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Agenda

22    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – Generic

 Remove .R and .PL files from the DLC directory that are not required to run your application  Remove the proDebugEnable, _debugEnable, proDebugConfig and _debugConfig commands from the DLC/bin directory of your production machine  Use SSL with OpenEdge 10 to communicate between Progress components © 2007 Progress Software Corporation 23 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – Generic

(cont)  This diagram comes from the

Core Business Services

manual in OpenEdge 10.1B and shows the communication streams of the OpenEdge environment that can be secured with the SSL protocol © 2007 Progress Software Corporation 24 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – Generic

(cont)  Change Broker Owners 25 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Progress Infrastructure – Generic

(cont)  Use the requireusername admingroup and to start the AdminServer

>proadsv -start -requireusername -admingroup Administrators OpenEdge Release 10.1B as of Wed Jan 10 12:21:31 EST 2007 >wtbman -start -name Exchange2007 OpenEdge Release 10.1B as of Wed Jan 10 12:21:31 EST 2007 Connecting to Progress AdminServer using rmi://localhost:20931/Chimera (8280) Searching for Exchange2007 (8288) Connecting to Exchange2007 (8276) User not authenticated (8304)

© 2007 Progress Software Corporation 26 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – Generic

(cont)  Rename the WSA and AIA files to remove them from the URL. Makes it harder for hackers to find out what you are…  WSA and AIA • Rename the directory to change it from WSA or AIA • Modify the WEB.XML files to suit © 2007 Progress Software Corporation 27 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – Generic

(cont)  Rename the WebSpeed Messenger files to remove them from the URL. Makes it harder for hackers to find out what you are…  WebSpeed Messenger • Windows, see the cgiip.wsc

file in C:\inetpub\scripts for information (do not use .wsc, choose another extension) • Unix/Linux, just rename the messenger example script wspd_cgi.sh

© 2007 Progress Software Corporation 28 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – AppServer

 Make the AppServer Broker run without DEBUG 29 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Progress Infrastructure – WebSpeed

 Make the WebSpeed Broker run in PRODUCTION mode 30 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Progress Infrastructure – WebSpeed

(cont)  Make the WebSpeed Broker run without DEBUG 31 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Progress Infrastructure – WebSpeed

(cont)

Remove the “Generated by Webspeed” Message (OE10)

...

/* Output any pending messages */ IF available-messages(?) THEN output-messages("all", ?, "Messages:").

IF CAN-DO ("text/html*,text/x-server-parsed html*",output-content-type) THEN {&OUT} "~n~n~n":U.

OUTPUT {&WEBSTREAM} CLOSE.

...

© 2007 Progress Software Corporation 32 COMP-11: Best practices for Deploying AppServer and WebSpeed

Progress Infrastructure – WebSpeed

(cont)  Minimize access to the WebSpeed Messenger Administration tool 33 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Progress Infrastructure – WebServices Adapter

 Minimize access to the WebServices Adapter Administration tool 34 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Agenda

35    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Application Security – Generic

 Use RCODEKEY and DBAUTHKEY to limit which .R’s can run against the database   CLIENT-PRINCIPAL object Program “defensively” • • Make sure it fails in a secure manner Never accept parameters from a user without verification © 2007 Progress Software Corporation 36 COMP-11: Best practices for Deploying AppServer and WebSpeed

Application Security – WebSpeed

   Modify WEB-DISP.P to: • Check using the user-id and limit access to programs • • Make sure they are logged on Remove access to DEBUG, PING and RESET Pass parameters in an “encrypted” manner Reconnect to the database if not connected © 2007 Progress Software Corporation 37 COMP-11: Best practices for Deploying AppServer and WebSpeed

Application Security – WebSpeed

(cont)

Old WEB-DISP.P code

...

AppProgram = (IF AppProgram = "debug":U THEN "webutil/debug.p":U ELSE (IF AppProgram = "ping":U THEN "webutil/ping.p":U ELSE (IF AppProgram = "reset":U THEN "webutil/reset.p":U ELSE AppProgram))).

RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.

...

© 2007 Progress Software Corporation 38 COMP-11: Best practices for Deploying AppServer and WebSpeed

39

Application Security – WebSpeed

(cont)

New SECURE-WEB-DISP.P code

...

vGUID = get-field ("GUID").

find first tState where tState.GUIDField = vGUID.

if not available tState then AppProgram = "logon.r".

else if not can-find (tProgs where tProgs.UsersID = tState.UsersID

and tProgs.ProgID = AppProgram) then AppProgram = "invalidprogram.r".

RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.

...

© 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Application Security – AppServer

 Use the CONNECT or STARTUP procedure to set the available programs via the EXPORT method on the SESSION handle 40 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Application Security – AppServer

(cont)

Client Code for connecting to the AppServer

DEFINE VARIABLE hAppSrv AS HANDLE NO-UNDO.

DEFINE VARIABLE lOK AS LOGICAL NO-UNDO.

CREATE SERVER hAppSrv.

lOK = hAppSrv:CONNECT ("-AppService inventory", "FRED", "MYPASSWORD").

...

RUN XXX.P ON hAppSrv.

...

hAppSrv:DISCONNECT () NO-ERROR.

DELETE OBJECT hAppSrv NO-ERROR.

© 2007 Progress Software Corporation 41 COMP-11: Best practices for Deploying AppServer and WebSpeed

Application Security – AppServer

(cont)

Server Code in CONNECT.P

DEFINE INPUT PARAMETER pUserID AS CHARACTER.

DEFINE INPUT PARAMETER pPassWd AS CHARACTER.

DEFINE INPUT PARAMETER pASInfo AS CHARACTER.

find first tUsers where tUsers.UsersID = pUserID if available tUsers and tUsers.PassWd = pPassWd no-lock no-error.

then SESSION:EXPORT (tUsers.AllowedProgsList).

else RETURN ERROR "Invalid UserId and/or Password".

© 2007 Progress Software Corporation 42 COMP-11: Best practices for Deploying AppServer and WebSpeed

Agenda

43    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Database Security

  This is the last line of defence Hopefully all the other techniques have managed to stop the intruders 44 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Database Security

(cont) 45  Encryption • • Individual fields via the ENCRYPT function Entire Database via operating system filesystem – Linux – dm-crypt and others – Solaris – zfs (one day) – IBM – Can’t find a reference – HP – Can’t find a reference – Windows – Many solutions • Hardware Device – Seagate Momentus ® 5400 FDE.2 © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

Database Security

(cont)    CAN-READ, CAN-WRITE, etc • • Compile time security Dynamic queries use these fields, so may cause issues Disallow the “Blank” userid Use File system permissions on Database files to minimise access to users © 2007 Progress Software Corporation 46 COMP-11: Best practices for Deploying AppServer and WebSpeed

Database Security

(cont)  If not needed, do not install SQL-92 Database facilities  Set up SQL-92 Database security to minimise ODBC/JDBC access by using the GRANT command •

GRANT SELECT ON customer TO dbuser2;

47 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Agenda

48    AppServer and WebSpeed components Sample deployments • • • Security • • Network Machines Progress Infrastructure Application Database  Summary © 2007 Progress Software Corporation COMP-11: Best practices for Deploying AppServer and WebSpeed

In Summary

 Always deploy for the Internet or Extranet using a Firewall and DMZ   Secure your machines, application and network Turn off “Development” in WebSpeed 49 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Questions?

50 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Relevant Exchange Sessions

 INT-10:  COMP-1:  DB-14:  DEV-4: Understanding the AppServer, Inside-out Securing your web application against hackers OpenEdge Database Run-Time Security Revealed OpenEdge in an LDAP World © 2007 Progress Software Corporation 51 COMP-11: Best practices for Deploying AppServer and WebSpeed

For More Information, go to…

 Documentation: • OpenEdge Getting Started: Core Business Services – Security and authentication • OpenEdge Revealed – Achieving Server Control with Fathom Management • OpenEdge Application Server: Administration © 2007 Progress Software Corporation 52 COMP-11: Best practices for Deploying AppServer and WebSpeed

For More Information, go to…

 Progress Software Knowledgebase • • 19533 – Running WebSpeed in Production Mode P22658 – The new DATABASES environment variable for WebSpeed 53 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation

Thank you for your time

54 COMP-11: Best practices for Deploying AppServer and WebSpeed © 2007 Progress Software Corporation