EnterpriseDB · nidhibhammar · May 19, 2025 · Apr 28, 2025 · Apr 29, 2025 · May 19, 2025
@@ -9,13 +9,12 @@ navigation:
 - installing_pem_server_and_apache_web_server_preferences
 ---
 
-There are a number of things to consider before deploying Postgres Enterprise Manager. 
+Before deploying Postgres Enterprise Manager, consider these factors. 
 
 | Considerations                                                                     | Implementation instructions                                                                                                                         |
 | ---------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Is a standalone server sufficient or do you need a high availability architecture? | [Installing the server](../installing/) or [Deploying high availability](ha_pem/) |
 | Do you need to implement connection pooling?                                       | [Deploying connection pooling](pem_pgbouncer/)                                                                    |
-| What type of authentication to use?                                                | [Authentication options](authentication_options/)                                                                 |
+| What type of authentication should you use?                                                | [Authentication options](authentication_options/)                                                                 |
 | What actions should you take to avoid security vulnerabilities?                    | [Securing your deployment](pem_security_best_practices/)                                                          |
-| Where to host the web server?                                                      | [Web server installation options](installing_pem_server_and_apache_web_server_preferences)    |
-
+| Where should you host the web server?                                                      | [Web server installation options](installing_pem_server_and_apache_web_server_preferences)    |
@@ -9,19 +9,19 @@ redirects:
 
 ---
 
-During the PEM server installation, you can specify your hosting preferences for the web server. 
+While installing the PEM server, you can specify your hosting preferences for the web server. 
 For production environments, best practice is to have the PEM server and web server on separate hosts.
 
 ##  PEM server and web server on separate hosts
 
 1.  Install the PEM server on both the hosts. See [Installing the PEM server](../installing/).
-2.  Configure the PEM server host by selecting the **Database** option on the first host. 
-3.  Configure a web server by selecting the **Web Services** option on the second host.
+1.  Configure the PEM server host by selecting the **Database** option on the first host. 
+1.  Configure a web server by selecting the **Web Services** option on the second host.
 
 For more information about configuring a PEM server, see [Configuring the PEM server on Linux platforms](../installing/configuring_the_pem_server_on_linux/).   
 
 ##  PEM server and web server on the same host
 
 1.  Install the PEM server. See [Installing the PEM server](../installing/).
-2.  Run the configuration script. Select the **Web Services and Database** option to install the PEM server and web server on the same host. See [Configuring the PEM server on Linux](../installing/configuring_the_pem_server_on_linux/).
+1.  Run the configuration script. To install the PEM server and web server on the same host, select the **Web Services and Database** option. See [Configuring the PEM server on Linux](../installing/configuring_the_pem_server_on_linux/).
 
@@ -14,14 +14,14 @@ navigation:
 
 To harden your PEM deployment against attack, consider the following measures:
 
-1. Ensure PEM itself, your operating system, and third party libraries are regularly updated. Without the most recent security patches, your system is vulnerable to cyberattacks.
-   Please refer to the [Dependencies](../../installing/dependencies.mdx) page to learn more about the system packages used by PEM.
+- Ensure PEM, your operating system, and third-party libraries are regularly updated. Without the most recent security patches, your system is vulnerable to cyberattacks.
+   See [Dependencies](../../installing/dependencies.mdx) to learn more about the system packages used by PEM.
 
-2. Ensure the Postgres instance used as the PEM server is kept up to date and apply [Postgres security best practices](https://info.enterprisedb.com/rs/069-ALB-339/images/Security-best-practices-2020.pdf).
+- Ensure the Postgres instance used as the PEM server is kept up to date and apply [Postgres security best practices](https://info.enterprisedb.com/rs/069-ALB-339/images/Security-best-practices-2020.pdf).
 
-3. [Secure the web server](apache_httpd_security_configuration.mdx)
+- [Secure the web server](apache_httpd_security_configuration.mdx).
 
-4. Configure the [security settings of the PEM web application](pem_application_configuration.mdx) as appropriate.
+- Configure the [security settings of the PEM web application](pem_application_configuration.mdx) as appropriate.
 
 
 
@@ -9,30 +9,29 @@ redirects:
 
 ## Session timeout
 
-Insufficient session expiration by the web application increases the exposure of other session-based attacks. The attacker has more time to reuse a valid session ID and hijack the associated session. The shorter the session interval is, the less time an attacker has to use the valid session ID. We recommend that you set the inactivity timeout for the web application to a low value to avoid this security issue.
+Setting session expiration time too long in the web application increases the exposure of other session-based attacks. The attacker has more time to reuse a valid session ID and hijack the associated session. The shorter the session interval is, the less time an attacker has to use the valid session ID. To avoid this security issue, we recommend that you set the inactivity timeout for the web application to a low value.
 
-In PEM, you can set the timeout value for a user session. When there's no user activity for a specified duration on the web console, PEM logs out the user from the web console. A PEM administrator can set the length of time for inactivity. This value is for the whole application and not for each user. To configure the timeout duration, modify the `USER_INACTIVITY_TIMEOUT` parameter in the `config_local.py` file, located in the `<PEM_INSTALLATION_PATH>/web` directory. By default, this functionality is disabled.
+In PEM, you can set the timeout value for a user session. When there's no user activity for a specified duration on the web console, PEM logs the user out of the web console. A PEM administrator can set the length of time for inactivity. This value is for the whole application, not for each user. 
 
-For example, to specify for an application to log out a user after 15 minutes of inactivity, set:
+To configure the timeout duration, modify the `USER_INACTIVITY_TIMEOUT` parameter in the `config_local.py` file in the `<PEM_INSTALLATION_PATH>/web` directory. By default, this parameter is disabled. Specify the value in seconds.
+
+For example, to specify for an application to log a user out after 15 minutes of inactivity, set the time as follows:
 
 ```ini
 USER_INACTIVITY_TIMEOUT = 900
 ```
 
-!!! Note
-    The timeout value is specified in seconds.
-
-To apply the changes, restart the Apache service.
+To apply the change, restart the Apache service.
 
-For detailed information on the `config.py` file, see [Managing Configuration Settings](../../managing_configuration_settings/).
+For detailed information on the `config.py` file, see [Managing configuration settings](../../managing_configuration_settings/).
 
 ## RestAPI header customization
 
-You can customize the RestAPI token headers to meet your requirements. The default values aren't exposed by the `config.py` file. Customize the following headers in the `config_local.py` file:
+You can customize the RestAPI token headers to meet your requirements. The default values aren't exposed by the `config.py` file. In the `config_local.py` file, customize the following headers.
 
 ### PEM_HEADER_SUBJECT_TOKEN_KEY
 
-This configuration option allows you to change the HTTP header name to get the generated token. By default, when you send a request to create a token, the server response has an `X-Subject-Token` header. This header contains the value of a newly generated token. If you want to customize the header name, then you can update the `config_local.py` file:
+This configuration option lets you change the HTTP header name to get the generated token. By default, when you send a request to create a token, the server response has an `X-Subject-Token` header. This header contains the value of a newly generated token. If you want to customize the header name, then you can update the `config_local.py` file:
 
 ```ini
 PEM_HEADER_SUBJECT_TOKEN_KEY = 'Pem-RestAPI-Generate-Token'
@@ -51,55 +50,55 @@ Pem-RestAPI-Generate-Token: 997aef95-d46d-4d84-932a-a80146eaf84f
 
 ### PEM_HEADER_TOKEN_KEY
 
-This configuration option allows you to change the HTTP request header name. With this header name, you can send the token to the PEM server. By default, when you send a request to generate a token, the token header name is `X-Auth-Token`. If you want to customize the RestAPI request header name, then you can update the `config_local.py` file:
+This configuration option lets you change the header name of the HTTP request. With this header name, you can send the token to the PEM server. By default, when you send a request to generate a token, the token header name is `X-Auth-Token`. If you want to customize the RestAPI request header name, you can update the `config_local.py` file:
 
 ```ini
 PEM_HEADER_TOKEN_KEY = 'Pem-Token'
 ```
 
-This setting allows you to send the token:
+This setting lets you send the token:
 
 ```shell
 $ curl -Lk -X GET -H "Pem-Token: gw5rzaloxydp91ttd1c97w24b5sv60clic24sxy9" https://localhost:8443/pem/api/v4/agent
 ```
 
 ### PEM_TOKEN_EXPIRY
 
-This configuration option allows you to change the PEM RestAPI token expiry time after it's generated. By default, the token expiry time is set to 20 minutes (1200 seconds). If you want to change the token expiry time to 10 minutes, then you can update the `config_local.py` file:
+This configuration option lets you change the PEM RestAPI token expiry time after it's generated. By default, the token expiry time is set to 20 minutes (1200 seconds). For example, to change the token expiry time to 10 minutes, update the `config_local.py` file as follows:
 
 ```ini
 PEM_TOKEN_EXPIRY = 600
 ```
 
-To apply the changes, restart the Apache service.
+To apply the change, restart the Apache service.
 
 ## Role-based access control in PEM
 
-Role-based access control (RBAC) restricts application access based on a user’s role in an organization and is one of the primary methods for access control. The roles in RBAC refer to the levels of access that users have to the application. Users are allowed to access only the information needed to do their jobs. Roles in PEM are inheritable and additive, rather than subscriptive. In other words, as a PEM admin you need to grant the lowest level role to the user and then grant the roles the user needs to perform their job. For example, to give access only to SQL profiler:
+Role-based access control (RBAC) restricts application access based on a user’s role in an organization. It's one of the primary methods for access control. The roles in RBAC refer to the levels of access that users have to the application. Users are allowed to access only the information needed to do their jobs. Roles in PEM are inheritable and additive rather than subscriptive. In other words, as a PEM admin, you need to grant the lowest level role to the user and then grant the roles the user needs to perform their job. For example, to give access only to SQL Profiler:
 
 ```sql
 CREATE ROLE user_sql_profiler WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOREPLICATION CONNECTION LIMIT -1 PASSWORD 'xxxxxx';
 GRANT pem_user, pem_comp_sqlprofiler TO user_sql_profiler;
 ```
 
-For detailed information on roles, see [PEM Roles](../../managing_pem_server/#using-pem-predefined-roles-to-manage-access-to-pem-functionality).
+For detailed information on roles, see [PEM roles](../../managing_pem_server/#using-pem-predefined-roles-to-manage-access-to-pem-functionality).
 
 ## SQL/Protect plugin
 
-Often, preventing an SQL injection attack is the responsibility of the application developer, while the database administrator has little or no control over the potential threat. The difficulty for database administrators is that the application must have access to the data to function properly.
+Often, preventing an SQL injection attack is the responsibility of the application developer. The database administrator has little or no control over the potential threat. The difficulty for database administrators is that the application must have access to the data to function properly.
 
 SQL/Protect is a module that allows a database administrator to protect a database from SQL injection attacks. SQL/Protect examines incoming queries for typical SQL injection profiles in addition to the standard database security policies.
 
-Attackers can perpetrate SQL injection attacks with several different techniques. A specific signature characterizes each technique. SQL/Protect examines queries for unauthorized relations, utility commands, SQL tautology, and unbounded DML statements. SQL/Protect gives the control back to the database administrator by alerting the administrator to potentially dangerous queries and then blocking those queries.
+Attackers can perpetrate SQL injection attacks using several different techniques. A specific signature characterizes each technique. SQL/Protect examines queries for unauthorized relations, utility commands, SQL tautology, and unbounded DML statements. SQL/Protect gives the control back to the database administrator by alerting the administrator to potentially dangerous queries and then blocking those queries.
 
 !!! Note
-    This plugin works only on the EDB Postgres Advanced Server server, so this is useful only when your PEM database is hosted on the EDB Postgres Advanced Server server.
+    This plugin is useful only when your PEM database is hosted on the EDB Postgres Advanced Server server. It doesn't work on other servers.
 
 For detailed information about the SQL Profiler plugin, see [SQL Profiler](../../profiling_workloads/).
 
 ## Password management
 
-One security tip for PEM administrative users is to change your PEM login passwords to something new regularly. Changing your password:
+One security tip for PEM administrative users is to regularly change your PEM login passwords to something new. Changing your password:
 
 -   Prevents breaches of multiple accounts
 -   Prevents constant access
@@ -110,7 +109,9 @@ One security tip for PEM administrative users is to change your PEM login passwo
 
 In most cases, pemAgent is installed as a root user and runs as a daemon process with root privileges. By default, PEM disables running the scheduled jobs/task. PEM provides support for running scheduled jobs as a non-root user by changing the pemAgent configuration file.
 
-To run scheduled jobs as a non-root user, modify the entry for the `batch_script_user` parameter in the `agent.cfg` file and specify the user to run the script. You can either specify a non-root user or root user identity. If you don't specify a user, or the specified user doesn't exist, then the script doesn't execute. Restart the agent after modifying the file. If a non-root user is running `pemagent`, then the value of `batch_script_user` is ignored, and the same non-root user used for running the `pemagent` executes the script.
+To run scheduled jobs as a non-root user, modify the entry for the `batch_script_user` parameter in the `agent.cfg` file and specify the user to run the script. You can specify either a non-root user or root user identity. If you don't specify a user or the specified user doesn't exist, the script doesn't execute. 
+
+After modifying the file, restart the agent. If a non-root user is running pemAgent, the value of `batch_script_user` is ignored. The same non-root user used for running the pemAgent executes the script.
 
 To invoke a script on a Windows system, set the registry entry for `AllowBatchJobSteps` to `true` and restart the PEM agent. PEM registry entries are located in: