Going into production: checklist for Applications using GAM

This checklist shows the tasks you need to perform after testing an application which uses GAM, in order to put the application into production. ()

The idea is to mitigate risks which compromise the security of the application.

Pursuing the purpose of protecting the privacy of the company and keep the information secure, the decision on how to configure the following items depend on the severity and characteristics of the application.

Set up HTTPS protocol in the Application Server.

This is essential in case of SD Applications. In case of WEB Applications it´s essential to have HTTPS at least in all objects where passwords are entered, like the login and registration panels.

Change Administrator Password.

The password of administrator users of GAM repository have to be changed using GAM Backend.

Change "Gamadmin" user password.

This is the password of the administrator of the Repositories.

Delete all users defined for testing purposes.
Create new Repository Connections.

By default the GAM Connection User is <version_name>, the connection user password needs to be changed when the application is going into production.

In production time, when the application is deployed, the file gxmetadata (with all its contents) should not be deployed for security.

That means that the "gxmetadata" folder should be deleted from the deployment (except the files <main_object>.<plataform>.json).

The web server should not serve the connection.gam file.

The GAM Backend should be private, so as only Administrator users can execute these web panels.

The web panels of the Backend have the code to keep this privacy (see: Access restricted to GAM Backend). You should take into consideration to check Require Access Permissions Application Property of the Application.

The web panels "GAMExampleRecoverPasswordStep1" and "GAMExampleRecoverPasswordStep2" have to be edited and changed as suggested in GAM: A way to solve Forgot Password, they should not be left as they are distributed (they are examples consolidated in GAM_Examples folder).

Regarding the Smart Devices architecture,

Actions programmed by GeneXus users are translated into REST Web Services calls in general. So REST services need to be protected as well as SD objects. Make a search in the KB by "Rest Protocol= TRUE", so you can easily find all the REST services and check the Permissions configuration for each of them.

Depending on the security needed:

Do not use Client Side Caching in SD applications.
Configure the following in the Repository:
- UserRememberMeType property (None, Login, Authentication, Both). The most secure value is "None".
- User Remember Me Timeout (days)
- User Recovery Password Key Timeout (minutes)
- Minimum Amount Of Characters In Login
- Login Attempts To Lock User
- Login attempts to lock session Repository property
- GAM Unblock User Timeout property
- Give WEB Anonymous Session
- User Session Cache Timeout (seconds). It's advisable to be set with a value less or equal to 30 seconds.
- Session Expires On IP Change property
- User Activation Method Repository property. It's not advisable to set to "Automatic" value.
- User Automatic Activate TimeOut property
- Check the Default Security Policy of GAM Repository, and the Repository Default Role.
- Cache Timeout (minutes) Repository Property.
Configure the following in all the Security Policies defined in the Repository:
- Web Session timeout (minutes)
- Allow Multiple Concurrent Web Sessions Security Policy Property. The most secure value is "No".
- OAuth token expire (minutes)
- OAuth token maximum renovations
- Period change password (days)
- Minimum Time to Change Passwords Security Policy
- Minimum Length Of The Password
- Minimum Numeric Characters Password
- Minimum Upper Case Characters Password
- Minimum Special Characters Password
- Maximum Password History Entries

In case of SD Applications, take into consideration setting Single User Access property.

Going into production: checklist for Applications using GAM

See Also