The Tomcat Java Servlet has a strict requirement that a ROOT webapp must exist in order for Tomcat\PASOE to work.
The oeabl.war webapp, is the default OpenEdge ABL Web application that implements OpenEdge Adapters deployed with the name ROOT prior to OpenEdge 12.2
What's the PASOE oeabl.war file?
When web application(s) are not deployed at the root of a Tomcat, it can be replaced by deploying the noaccess.war to ROOT:
- The noaccess.war file provides the ability to reserve a PAS for OpenEdge server URL
- It allows no access to any other web application, ABL web application, or ABL business application.
- When the instance is started, no ABL agent process is started because no ABL application (oeabl.war) is deployed to this instance and therefore does not have a multi-session agent.
- The Browser returns a 400 “request refused” error when called
Since OpenEdge 12.2, the PAS for OpenEdge production security model uses noaccess.war deployed to the ROOT application, instead of oeabl.war
- The PAS instance will not become a PASOE server until an oeabl.war based webapp is deployed, as outlined below.
- If the instance already exists and a ROOT web application is not required, then deploy the noaccess.war application in place of ROOT, as outlined below.
- The PAS production security model will create an instance with the psc.as.security.model=pas. This has no OpenEdge in it at all, so it will not work with pasoestart for example. Once an oeabl.war or an oear is deployed, it becomes a PASOE server.
- This PAS production security model is accessed at instance creation by using the option: "-Z pas" to create a PAS instance without an ABL app in it, that has the noaccess webapp deployed as ROOT.
$ pasman create -Z pas myProdInst
Prior to OpenEdge 12.2, PASOE supports two security models: dev and prod
- For a production security model instance, the oeabl.war-based ROOT ABL web application has all transports disabled by default, whereas the development securtiy model has these all enabled by default when the instance is created.
To secure the ROOT webapp in production environments
- Deploy the {CATALINA_HOME}/extras/noaccess.war as the ROOT webapp; it's a non-ABL webapp that's more secure than even the default tomcat ROOT webapp.
- To assure the ROOT webapp exists which is required but is not used, it will secure the ROOT webapp in production environments.
- The server will not expose a JSESSIONID for the ROOT application which is otherwise the oeabl.war.
$ {CATALINA_BASE}/tcman stop
Un-deploy the current ROOT application to remove its association with the default oeabl.war ABL web application
$ {CATALINA_BASE}/bin/tcman undeploy ROOT
Deploy the secured ROOT application
$ {CATALINA_BASE}/bin/tcman deploy -a ROOT {CATALINA_HOME}/extras/noaccess.war
ABL applications are accessed through the ABL web application using a server URL instead of through the default ROOT web application at http://hostname:port/
Deploy the oeabl.war with the ABL application and ABL web application name to create the applications on the PAS for OpenEdge instance
$ {CATALINA_BASE}/bin/tcman deploy -a FinanceService {CATALINA_HOME}/extras/oeabl.war AccountsApp
Prior to the availability of noaccess.war, there were no customer requirements at the time to back port noaccess.war to any earlier version of OpenEdge. The OE12 noaccess.war cannot be used with an earlier version of OpenEdge because it would need to be recompiled to build a new version of the .war file specifically for 11.7.
How to submit an enhancement request for a Progress product?
NOTE:
- CATALINA_HOME is the OpenEdge install directory: <DLC>/servers/pasoe
- CATALINA_BASE is where the PASOE instance was created with "tcman create". For example: <wrkdir>\oepas1 , oeapps/myProdInst
