Going into production: checklist for Applications using GAM

Official Content
This documentation is valid for:

This checklist shows the tasks you need to perform after testing an application that uses GAM, in order to put the application into production.

The idea is to mitigate risks that compromise the security of the application. 

Pursuing the purpose of protecting the privacy of the company and keeping the information secure, the decision on how to configure the following items depends on the severity and characteristics of the application.

  • Set up HTTPS protocol in the Application Server.

This is essential in case of SD Applications. In case of WEB Applications it is essential to have HTTPS at least in all objects where passwords are entered, like the login and registration Panels.

The password of administrator users of GAM repository has to be changed using GAM Backend.

  • Change "Gamadmin" user password.

This is the password of the administrator of the Repositories.

By default, the GAM Connection User is <version_name>, the connection user password needs to be changed when the application is going into production.

  • In production time, when the application is deployed, the gxmetadata directory (with all its contents) should not be deployed for security.
    That means that the "gxmetadata" directory should be deleted from the deployment (except the files <main_object>.<plataform>.json and the gxversion.json file). The appid.json file is necessary to be kept if dynamic services URL are used.

The web server should not serve the connection.gam file.

The Web Panels of the Web Backoffice have the code to keep this privacy (see: Access restricted to GAM Backend). 

If you don't use the GAM - Web Backoffice distributed binaries to take into production, but compile the GAM Examples, consider that the Web Panels "GAMExampleRecoverPasswordStep1" and "GAMExampleRecoverPasswordStep2" have to be edited and changed as suggested in GAM: A way to solve Forgot Password, they should not be left as they are distributed (they are examples consolidated in GAM_Examples folder).

The same happens with the GAMExampleRegisterUser, GAMExampleUpdateRegisterUser and the GAMExampleChangePassword Panels.

Actions programmed by GeneXus users are translated into REST Web Services calls in general. So REST services need to be protected as well as SD objects. Make a search in the KB by "Rest Protocol= True", so you can easily find all the REST services and check the Permissions configuration for each of them.

Depending on the security needed:

  • In case of SD Applications, take into consideration setting Single User Access property.
     

See Also

Security recommendations for Smart Devices Applications
OWASP Top 10 Security Risks
OWASP 2013 Top 10 in GeneXus Applications
GAM - Applications deployment
GAM - Deploy Tool