Kbase 19533: Running WebSpeed in Production Mode
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
16/10/2008 |
|
Status: Verified
GOAL:
How to Run WebSpeed in Production Mode.
GOAL:
How to move WebSpeed application from development mode to production mode.
GOAL:
Moving from Development Mode to Production Mode.
GOAL:
How to deploy Webspeed application
GOAL:
How to implement Webspeed in Production
GOAL:
How to restrict access to WS workshop application
GOAL:
How to disable access to the webspeed workshop ?
GOAL:
What is disabled when webspeed is set to Production mode
FACT(s) (Environment):
Webspeed 3.x
All Supported Operating Systems
OpenEdge 10.x
FIX:
The Solution is not intended to offer a final solution for security. It is a reference to ensure that the WebSpeed application is in a production mode and will not service development utilities and/or programs to web users.
Security is not a solution, but a process. It is a process that needs constant updating, monitoring and changing as technology and system access evolve. Security is a multiple step approach that uses hardware and software to protect your vital company data.
Correctly setting your WebSpeed application to production mode is a necessary security step. This Solution is an explanation of how to run your WebSpeed application in production mode, including some configuration changes that make unwanted access to the application more difficult for would-be hackers.
Disable WSMAdmin (AllowMsngrCmds=0):
The WSMAdmin (WebSpeed Messenger Administration) utility helps a
developer debug problems in the configuration of WebSpeed. The
utility provides information about the NameServer, WebSpeed
broker, WebSpeed agent, system, access to static HTML files, and
more. Access to this utility on a production machine gives web
users important information about your site.
Always disable the WSMAdmin utility.
WSMAdmin access is disabled by default.
You must enable it to use the utility in a development
environment. This version has an added option called
"wsmAdmIPList" that sets a list of IP addresses that can access
the utility. Other IP addresses are refused access. Here, the
WSMAdmin utility can be left (on) to help debug possible system
problems while denying access to unwanted IP addresses.
Set the Application Mode to Production (srvrAppMode=Production):
This option allows for access to specific development files,
including the Workshop when it is set to "Development" mode. With
the option set to "Production", the Workshop (and all files
associated with the workshop) becomes unavailable, as do files in
the src/web/examples directory.
(Refer to the comments in the WebSpeed.cnf file [WebSpeed 2]
or the ubroker.properties [WebSpeed 3] file for more
information.)
Set Debug option to off (srvrDebug=Disabled):
This option allows a developer to add debugging information to
display in the browser when running code. The option gives
information about the WebSpeed agent, system and pathing of the
application.
Always disable this option when you go to production.
(Refer to the WebSpeed.cnf file or the ubroker.properties
file for more information.)
Changes to make unwanted access to you application more difficult:
- Change all default ports to random values (not the defaults of
20931, 5162, 3050, 3055).
- Change all default broker/server names from the default names.
- Minimize the PROPATH to allow access to application and only
 .;necessary DLC/tty files.
Do (not) include ftp directories in the PROPATH.
Do (not) include the upload directory in the PROPATH.
Do (not) include any web server directories in the PROPATH.
Do (not) include the Progress supplied procedure libraries.
- Hide your cgiip and wsisa messengers.
IIS can configure an extension (like .wsc) to run a specific
executable. With the .wsc file, you can pass the broker
name, hiding the messenger name and broker name on your
website.
When you use the wspd_cgi.sh on UNIX, change the script name
(hiding the messenger name and the broker name).
You can also help hide your messenger by renaming the
cgiip(.exe), wsisa.dll and/or wsnsa.dll.
- Do not allow execute permission on your "file upload"
directory. Again, do (not) put your "file upload" directory
in your PROPATH.
- Keep only your messenger and web server on a machine outside
your firewall, and keep your broker/server and database inside
the firewall..