Security Appscan Enterprise V9.0.3.9 Planning & Installation Guide
Security Appscan Enterprise V9.0.3.9 Planning & Installation Guide
Security Appscan Enterprise V9.0.3.9 Planning & Installation Guide
9
Planning & Installation Guide
IBM
ii Security AppScan Enterprise v9.0.3.9 Planning & Installation Guide
Contents
Chapter 1. IBM Security AppScan Enterprise 9.0.3.9 documentation . . . . . . . . . . 1
Chapter 3. Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Planning the deployment and installation . . . . . . . . . . . . . . . . . . . . . . . . . 21
Planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installation topology examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Preinstallation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Preinstallation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the SQL Server database for AppScan Enterprise . . . . . . . . . . . . . . . . . 40
Enabling IIS6 compatability with IIS7 on Windows 2008 Server . . . . . . . . . . . . . . . . . 41
Disabling Internet Explorer Enhanced Security Configuration on Windows Server 2008, 2008 R2, and 2012 . . 41
Configuring Flash to work on Windows Server 2012. . . . . . . . . . . . . . . . . . . . . 42
Downloading and extracting the electronic images . . . . . . . . . . . . . . . . . . . . . 42
Using a certificate in your certificate store with Liberty . . . . . . . . . . . . . . . . . . . . 42
Installation tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Sample installation scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Post installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Postinstallation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Verifying the agent service and alerting service installation . . . . . . . . . . . . . . . . . . 88
Configuring a basic user registry for the Liberty profile. . . . . . . . . . . . . . . . . . . . 88
Securing the deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Support for FIPS 140-2 and NIST SP800-131a security standards . . . . . . . . . . . . . . . . . 98
Authenticating with the Common Access Card (CAC) . . . . . . . . . . . . . . . . . . . . 102
Advanced installation scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Installing multiple instances of the Enterprise Console on a single server . . . . . . . . . . . . . 105
Setting up an external scanner for AppScan Enterprise in the DMZ . . . . . . . . . . . . . . . 106
Installation roadmap for AppScan Source deployment . . . . . . . . . . . . . . . . . . . . 106
Configuring more than one IP address for the host computer . . . . . . . . . . . . . . . . . 107
Uninstalling an instance of the Enterprise Console . . . . . . . . . . . . . . . . . . . . . 107
Un-installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
iii
Testing the staging environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Upgrading the AppScan Enterprise production environment . . . . . . . . . . . . . . . . . . 122
Preparing production for AppScan Enterprise Software upgrade . . . . . . . . . . . . . . . . 122
Upgrading production AppScan Enterprise software . . . . . . . . . . . . . . . . . . . . 122
Testing production AppScan Enterprise software post upgrade . . . . . . . . . . . . . . . . . 123
Configuring the SQL Server database for AppScan Enterprise . . . . . . . . . . . . . . . . . . 123
Using a certificate in your certificate store with Liberty . . . . . . . . . . . . . . . . . . . . 123
Upgrading the AppScan Source LDAP connection with an Oracle database. . . . . . . . . . . . . . 125
Enabling FIPS 140-2 or NIST SP800-131a on WebSphere Liberty Profile . . . . . . . . . . . . . . . 125
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
1
Application Security Developer Center
What are some of the challenges your organization might be facing when it comes
to application security?
v Compliance: External regulations and internal policy requirements
– How do you set internal policy requirements for application security?
– Is your private/sensitive data exposed by apps?
– How do you check for, and demonstrate, application compliance?
v Pace: Rapid growth in the number of applications and releases to meet business
requirements
– Which applications pose the biggest business risk?
– How do you test apps for security in rapid DevOps/Agile shops, without
slowing down the process?
– How do you reduce costs and catch security problems earlier in the lifecycle
before they get into production?
v Resources: Resource and awareness challenges
– Where do you start? How do you prioritize the work?
– What do you test, and how do you test it?
– How do you staff and improve skills and awareness?
3
Using AppScan Enterprise, security teams can build an inventory of their
application assets, classify, and prioritize their assets by business impact before
they even start any security testing. This is important because organizations have
limited resources and need to focus on the areas of highest risk. After applications
are assessed for security vulnerabilities, they can be ranked by a security risk score.
This enables Security teams to prioritize vulnerabilities in the context of the
applications in which they exist, and focus on remediation activities that have the
biggest impact when it comes to mitigating security risk for the organization.
The SQL Server database is the central repository for the following information
gathered during a job: statistics, scan logs, polling for activity events, and is the
means of communication between the Enterprise Console and the testing agents on
the Dynamic Analysis Scanner. Regardless if you install the Server or Scanner, you
create a database on a SQL Server you have installed in your environment. It
should be configured first so that key information that AppScan Enterprise Server
requires during configuration is ready and available. The database contains the
following data:
v All data gathered by the agents
v Information about the scope applied to report data
v Summarized historical reporting data
v Agent configuration, scheduling, status, and alerting information
v User configuration and permission information
Note: If you are an AppScan Source user, this is all you need to install, unless
you want to see correlated reports from results you publish to the Enterprise
Server. Then you need to install the Enterprise Console as well.
v Enterprise Console: The Enterprise Console provides the user interface and
reports through a web browser. It is the main user interface and supports
The Monitor view displays only the applications that you have permission to
access. The dashboard charts track various metrics and trends of the web
applications that compose your portfolio.
The Dashboard tab provides a holistic view of your business portfolio. In the lower
section of the dashboard, select a chart to further investigate:
v Security Risk Rating (trend): Track application risk over time. Select the
category check boxes to display the content you want to see. Hover over chart
sections for details.
v Security Risk Rating by Business Unit: Prioritize application risk management
by business unit. Hover over chart sections for details. Click through to the
Portfolio tab to continue your triage process.
v Testing Status (trend): Track testing status. Select the category check boxes to
display the content you want to see. Hover over chart sections for details.
v Open Issues (trend): Shows the number of open issues. Hover over chart
sections for details.
v Applications with Open Issues (trend): Track the number of applications with
open issues. Hover over chart sections for details.
v Top Issue Types: Shows the top issue types across all of your applications in the
portfolio. For example, if there are many SQL injection issues, you can plan
training for your developers. Hover over chart sections for details.
v Issue Severity (Max): Identifies applications by their highest level of issue
severity. Hover over chart sections for details. Click through to the Portfolio tab
to continue your triage process.
v Issue Severity (Max) by Business Unit: Identifies applications by business unit,
by their highest level of issue severity. Hover over chart sections for details.
Click through to the Portfolio tab to continue your triage process.
Note:
1. Content and infrastructure agents can perform only one job at a time;
however, a single Scanner can run more than one agent simultaneously. More
than one job of the same type can be executed simultaneously on a given
computer, with each job being run in its own agent process.
2. The number of jobs running can exceed the maximum number of agents
assigned to the Scanner because the number of jobs running includes jobs
that are now in postprocessing or report generation. These jobs are no longer
using an agent on the Scanner.
3. If the number of blackout period suspended jobs exceeds the available
number of available agents on the Scanner, the blackout period suspended
job is given priority when it is time to run the next job.
v Alerting service: The alerting service is responsible for sending alerts to the
appropriate notification devices. Although you can have as many agents and
agent services as you need, only one alerting service can be installed for each
database.
What's new
Features and enhancements new to AppScan Enterprise.
New in 9.0.3.9
v Improved Action-Based Scanning: Updated Dynamic Analysis engine for
greater compatibility with newer web apps, and improved coverage to reveal
additional vulnerabilities.
v Windows 2016 Server support.
v Import HTTP Archive (HAR) traffic files for content scan jobs.
– To be used as login sequence data in Login Management page.
– To be used as explore data in What to Scan page.
v Users search capability in the Administration tab.
v OWASP Top 10 2017 Report in scan view
v New ADAC capabilities.
– Greatly Improved Login Management Configuration: Login Management
includes many improvements to help you configure and manage how
AppScan logs in to your application, and maintains sessions.
– New Action-Based Explore Options give you greater control, and the
Action-Based tab includes new settings to help achieve more efficient
Action-Based exploring.
– Communication and Proxy settings allows to:
New in 9.0.3.8
v Security updates and APAR fixes
– Add test WordPress load-scripts.php Denial of Service.
– Add HSTS max-age check.
– Visit this page to view the complete list: AppScan Enterprise 9.0.3 Fix List
v DAST for DevOps
– Integration with Deployment tools (for example: UDeploy) to automate
creating and initiating Scans; and now added capability to subscribe for
receiving notifications about Scan status ( completed, failed, suspended etc. ).
For more information, refer to the technote -http://www.ibm.com/support/
docview.wss?uid=swg22015122.
– REST APIs for improved automation.
- Unable to upload a multi-line HAR format manual explore data via Scan
Management REST API.
- Uploading a HAR file manual explore data with JSON POST body does not
get seen after import via the Scan Management REST API.
- New capability enables importing of traffic file(s) containing multi-step
sequence via the Application Management REST API.
v Other Improvements
– Added Support for TLS 1.2. For more information, refer to the technote -
http://www.ibm.com/support/docview.wss?uid=swg22015121
New in 9.0.3.7
v Security updates and APAR fixes
– Includes a variety of new security rules for Apache Struts.
– Visit this page to view the complete list: AppScan Enterprise 9.0.3 Fix List
v Enhanced DAST Scanning Engine
– Improved Cross-Site Scripting testing: If a traditional XXS test fails, the test
is automatically sent again using an actual browser. This approach enables
finding additional vulnerabilities that were not found before.
– Improved Automatic Login: Various techniques were added to increase the
success of Automatic Login.
– Improved Action-Based Crawling: Action-based crawling is more accurate
and thorough, increasing application coverage.
New in 9.0.3.5
v Support was added for Microsoft SQL Server 2016 and for the .NET 4.6.2
framework
v You can delete selected 3rd party scanner issue imports from an application
v A new compliance report was added: Regulation (EU) 2016/679 of the European
Parliament and of the Council - General Data Protection Regulation
New in 9.0.3.4
This fix pack synchronizes the versions across the AppScan product suite to
simplify centralized management (the installation or updating of client
components). AppScan Enterprise 9.0.3 fix pack versions are 9.0.3.1 (released on
04/26/16) and 9.0.3.4.
v Importing user-defined tests from AppScan Standard.
v New features in the AppScan Dynamic Analysis Client:
– AppScan Dynamic Analysis Client now offers a second Automatic Explore
method: Action-based Explore. This complements the existing Request-based
Explore, in the Automatic Explore stage of the scan. By default both methods
are used, with a 30 minute time limit for the Action-based Explore stage. See
the "Explore Options view" topic in the AppScan Dynamic Analysis Client
online help.
Note: You can also access this feature on the Explore Options page of a
content scan job. The options are turned on by default.
– You can now change the host, scheme or port of the Starting URL in a scan
configuration and AppScan will update, verify and confirm the necessary
changes.
– You can now set individual requests in a multi-step sequence to "Don't Test".
– You can now delete individual URLs from a Manual Explore recording.
v Ability to see the issue imports for an application.
v Scan results (*.scan files) are now exported in the Support download logs.
v Ability to export reports in XML format.
New in 9.0.3.1
New in 9.0.3
v Reporting: From the Monitor view, export issues to reports in PDF or HTML
formats.
v Issue import: Ability to import issues exported from a report in XML format
from AppScan Standard v9.0.3
v New and updated dashboard charts:
– OWASP Top Ten 2013: Identifies applications that contain issues that match
the 10 most critical web application security risks.
– CWE/SANS Top 25 Most Dangerous Software Errors: Identifies applications
that contain issues that match the CWE/SANS Top 25 Most Dangerous
Software Errors.
– Top Issue Types (App): Updated to reflect the number of apps that are
affected by the top issues that are discovered in your portfolio
v Issue management:
– Track overdue issues. From the Portfolio view, track the number of
applications with overdue issues. At the application level, track the overdue
status for each individual issue.
– New issue attributes:
- Fixed Date: The date and time stamp when an issue was fixed.
- Overdue: An issue that is not fixed by a predetermined date.
- Customize the issue list view so that issues with a particular status are
hidden from view: noise, passed, or fixed. From an application, go to List
menu > Customize View to make your selections. As you classify issues
with one of these statuses, they disappear from the list so that you can
continue focusing on the issues that need attention.
– Edit multiple applications simultaneously
v Portfolio triage:
– Advanced filtering
– Filter applications by issue attributes.
v New and updated REST APIs
v Page structure (DOM) filtering capability in the AppScan Dynamic Analysis
Client.
New in 9.0.2.1
v Editing multiple issues simultaneously
v New dashboard trend chart: Open Issues by Severity
v Support was added for Microsoft SQL Server 2014
v Support for Liberty was upgraded from v8.5.5.4 to v8.5.5.6
v Standard Users can edit Basic and Additional options in the AppScan Dynamic
Analysis Client. This capability can be given to other users as a custom user
permission.
v Changes in the AppScan Dynamic Analysis Client:
– New Proxy pane. If AppScan Enterprise uses a proxy server during the scan,
you can use your Internet Explorer proxy settings (if configured), or enter
custom settings.
– Ability to log in to the Client from the desktop by using LDAP
authentication.
v New and updated REST APIs
v Changes in content and layout of the About this Issue dialog
New in 9.0.2
v A new Dashboard tab displays the charts that were previously displayed in the
Portfolio tab, and adds more metrics to assess the current status and progress of
an application security initiative. This includes
– trend of portfolio risk status
– the number of applications with open security issues
– trend of overall open issues
– trend of applications test status
v A new approach to create scans consistent with AppScan Standard, for both the
security team who creates the templates and for the developers who create the
scans. See “Overview of scan configuration differences in v9.0.2 and higher and
in previous versions” on page 151.
v New built-in formulas include new issues, open issues, fixed issues, and total
issues.
v Enhancements to issue management:
– A 'new' classification has been added for issue management. All issues that
are scanned or imported from 3rd party scanners and that have not been
triaged before are now classified as 'new' in both the Monitor and the Scans
views.
– Group issues by Status in an application tab.
v New and updated Application Security Management REST APIs.
For further details on what's new and changed since v9.0.1.1, read this whitepaper.
New in 9.0.1
v Redesigned Application Security Management user interface for easier
navigation and access to information.
v Capability to import application security vulnerabilities discovered using manual
pen-testing or third-party tools.
v Scoring and ranking vulnerabilities in application context using Common
Vulnerability Scoring System (CVSS). See Determining issue severity.
v Architecture redesign to reduce installation footprint and replacement of IBM
Rational® Jazz™ user authentication component with IBM WebSphere® Liberty.
See “Replacing Jazz Team Server with WebSphere Liberty - Frequently asked
questions” on page 114 before upgrading.
v A built-in REST API interface provides you with a way to visualize RESTful web
services that are used for creating and updating applications, setting up
application access for users, and adding or updating issues. Use the framework
to interact with the API and get clear insight into how the API responds to
parameters and options. See Enabling the Application Security Management
REST API interactive framework.
v Glass box .NET agent now supports invisible parameters This enables AppScan
to identify HTTP parameters that are not visible to black box scanners,
improving scan coverage. No special configuration is needed. Until now,
invisible parameters were supported only for Java™ platforms.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may use or distribute any of the information you provide in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to actual people or business enterprises is entirely
coincidental.
COPYRIGHT LICENSE:
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at "Copyright and
trademark information" at www.ibm.com/legal/copytrade.shtml.
Applicability
These terms and conditions are in addition to any terms of use for the IBM
website.
Personal use
You may reproduce these publications for your personal, noncommercial use
provided that all proprietary notices are preserved. You may not distribute, display
or make derivative work of these publications, or any portion thereof, without the
express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your
enterprise provided that all proprietary notices are preserved. You may not make
derivative works of these publications, or reproduce, distribute or display these
publications or any portion thereof outside your enterprise, without the express
consent of IBM.
Rights
IBM reserves the right to withdraw the permissions granted herein whenever, in its
discretion, the use of the publications is detrimental to its interest or, as
determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full
compliance with all applicable laws and regulations, including all United States
export laws and regulations.
If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.
For more information about the use of various technologies, including cookies, for
these purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy and
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/en
sections entitled “Cookies, Web Beacons and Other Technologies” and “Software
Products and Software-as-a Service”.
Accessibility features
IBM Security AppScan Enterprise includes the following major accessibility
features:
v User interface keyboard navigation
v Screen reader navigation
v Tooltip help for links, buttons, messages, and other selections
v Non-text content that is presented to the user has a text alternative that serves
the equivalent purpose
v Methods are provided for skipping over navigation links to get to main content
of the page
v Captions are provided for prerecorded audio content in synchronized media
v Visual focus indicators by way of cursors in editable objects and highlighted
buttons, menu items, and other selections
v Content can be displayed in high contrast and large font mode
v Landmarks are used on the page to identify commonly found sections of web
page content, such as banners, breadcrumbs, and tabs
Chapter 2. Product overview 17
v Input errors that are automatically detected are identified and described in text
v Web pages do not contain content that flashes more than three seconds
v Color is not used as the only visual means of conveying information
v Documentation that includes hover-over image descriptions
Keyboard navigation
Note:
1. During manual explore or recorded login, use the Tab key to navigate the links
you want to explore and record. Use ALT+F4 to exit the recording browser
window. Pausing or resuming the recording session is not available using
keyboard shortcuts.
2. Input errors detected provide the user with text descriptions: for required fields
not completed (upon submit), when a user input falls outside the required
values, and when input data is not in the list of allowed values. Required
fields may not always have indicators.
3. The DOM (Document Object Model) has been tagged with WAI-ARIA (Web
Accessibility Initiative - Accessible Rich Internet Applications) landmarks which
vastly improves keyboard navigation for the following: Data grouping,
Accordion twisty, Regular twisty, breadcrumbs, navigational buttons, Quick
scan Tabs, Help Tabs, ViewHTTPRequest tabs, Report Grid Tabs, About this
Document tabs, About this Form tabs, About this Issue tabs, About this Page
tabs, Dashboard tabs, Trend tabs, Report pack Summary layout tabs, and
Security Dashboard tabs.
To navigate into the charts by using the keyboard, press the tab key until the focus
is on the chart.
1. Press the right arrow key to enter the chart, and press the down arrow key to
focus on the axis of the chart.
2. Use the down and up arrow keys to move between the axes of the chart. You
can use the right arrow key to enter the elements of an axis, and use the left
arrow key to return to the axis. Note: Key summary:
v Enter a chart: Right arrow, down arrow
v Navigate areas of a chart: Up and down arrow
v Enter an area of a chart: Right arrow
v Leave an area of a chart to move up a level: Left arrow
Interface information
The AppScan Enterprise user interfaces do not have content that flashes 2 - 55
times per second.
The DOM (Document Object Model) has been tagged with WAI-ARIA (Web
Accessibility Initiative - Accessible Rich Internet Applications) landmarks which
vastly improves keyboard navigation for the following: Data grouping, Accordion
twisty, Regular twisty, breadcrumbs, navigational buttons, Quick scan Tabs, Help
Tabs, ViewHTTPRequest tabs, Report Grid Tabs, About this Document tabs, About
this Form tabs, About this Issue tabs, About this Page tabs, Dashboard tabs, Trend
tabs, Report pack Summary layout tabs, and Security Dashboard tabs.
In addition to standard IBM help desk and support websites, IBM has established
a TTY telephone service for use by deaf or hard of hearing customers to access
sales and support services:
For more information about the commitment that IBM has to accessibility, see IBM
Accessibility (www.ibm.com/able).
Planning checklist
Before you install IBM Security AppScan Enterprise, review and complete all of the
necessary tasks on the planning checklist.
Table 1. Planning checklist
Check when
Task complete
Get an inventory of your existing applications and identify the h
networks where they exist.
Determine how many users will require access to AppScan Enterprise. h
Figure out how many applications you will scan. Are they in testing or h
production environments?
Review your existing environment. h
Check the hardware and software requirements for SQL Server h
database. Are you going to use the Standard or Enterprise version of
SQL Server?
Review the hardware and software requirements of the hosting servers h
you need.
What type of authentication are you using: Windows or LDAP? h
Identify the people in your organization who will help you get things h
done:
v user accounts
v licensing issues
v setting up the SQL Server
v LDAP administrator (if you use LDAP)
21
Installation requirements
The Installation of AppScan Enterprise requires the correct hardware, software,
operating system, and other factors.
Note: If you install on a virtual machine (VM), make sure that you use these
settings during the VM configuration:
v Number of virtual sockets: 4
v Number of cores per socket: 1
Chapter 3. Installing 23
Machine that hosts
the AppScan
Enterprise Server
Note:
1. Windows 2008 Server only supports TLSv1.0. Scanning sites that
require TLSv1.1 or TLSv1.2 will not work. Enterprise Console will not
have TLSv1.1 or TLSv1.2 protocols available for the IIS hosted part of
the application.
2. AppScan Enterprise is a 32-bit product. It will run on a 64-bit machine,
but in 32 bit mode.
3. The installer for the Dynamic Analysis Scanner and AppScan Enterprise
Server checks for the .NET 4.6.2 framework, and installs it if it does not
exist.
4. For best results, install all critical Microsoft software updates.
5. If the website being scanned uses technologies such as Flash, Windows
Media, and additional character sets, these technologies must also be
installed on the agent server machines.
Web Server
v IIS7 (Windows 2008 Server)
Chapter 3. Installing 25
– Common HTTP features (all components except HTTP Redirection)
– Application development (ASP.NET, ISAPI Extensions, ISAPI Filters)
– Health and diagnostics (HTTP Logging, Request Monitor)
– Security (Basic and Windows Authentication)
– Performance (Static Content Compression)
– Management tools (IIS Management console)
– IIS 6 Management Compatibility (All)
v IIS8.0 (Windows 2012 Server)
Note:
1. While Enterprise and Standard editions are supported for the following
SQL Server versions, the Enterprise edition has superior scalability and
security-enabling capabilities, such as built-in support for Transparent
Data Encryption (TDE). Standard Edition can be secured through MS
Windows Encrypting File System (EFS) or other third party encryption
methods.
2. While both 64 and 32 bit versions of SQL Server are supported, using
the 64-bit version of SQL Server can result in better performance. The
32-bit version works best for evaluation and small deployments.
3. If your environment uses a named SQL Server for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL
Server configuration manager, and restart the SQL services for SQL
Server and SQL Server browser.
v Microsoft SQL Server 2008 SP3
v Microsoft SQL Server 2008 R2 SP2
v Microsoft SQL Server 2012
v Microsoft SQL Server 2014
Note:
1. When using IE 8.0, you must install Microsoft Silverlight to view the
charts in the Monitor view.
v Mozilla Firefox 31.0 (ESR): supported in v9.0.2 - v9.0.2.1
v Mozilla Firefox 38.0 (ESR): supported in v9.0.2.1 iFix2 and later
v Google Chrome (only for Manual Explore Desktop tool)
Rational License Key Server
Version 8.1.1, 8.1.2, 8.1.3, 8.1.4
Defect Tracking Systems
v Atlassian JIRA 6.4.1, 7.0
v Rational Team Concert 3.0, 3.0.1, 4.0, 4.0.1, 4.0.3, 5.0.2, 6.0.1 (added in
v9.0.3.1)
v Rational Quality Manager 2.0, 2.0.1
Supported Integrations
v AppScan Source v9.0.1.1 and higher (versions 7.0 - 9.0.0 are supported
for importing of security results only)
v AppScan Standard V7.7 - V9.0.4 inclusive (previous versions are
supported for importing of security results only)
v IBM Security SiteProtector™ 3.0, 3.0.0.1, 3.1
v IBM Security QRadar® SIEM 7.0 MR5, 7.1 MR2, 7.2, 7.2.1, 7.2.2, 7.2.3,
7.2.4, 7.2.5
v WebSphere Portal 6.0.1.4 and higher
VM VMware ESXi v4.0, 4.1, 5.0
Application Server
WebSphere Application Server Liberty Core 8.5.5.6, 8.5.5.9 (upgraded in
v9.0.3.1 iFix1)
Supported technologies
See “Supported technologies” on page 28.
If you are executing Adobe Flash, the Flash Player plugin for Internet Explorer
browser must be installed on the machine where the Dynamic Analysis Scanner
runs. The supported versions of Adobe Flash can be downloaded from
http://get.adobe.com/flashplayer/. Version 8 and higher are supported, but only
versions 9 and higher have ActionScript 3 capabilities.
The Glass box software must be installed on the same server as the application you
want to test, not on the local machine where AppScan Enterprise itself is installed.
Table 2. Java platform requirements
Software Requirement
Java EE containers JBoss AS 6, 7; JBoss EAP 6.1; Tomcat 6.0, 7.0;
WebLogic 11; WebSphere 7.0, 8.0, 8.5, 8.5.5
Chapter 3. Installing 27
Table 2. Java platform requirements (continued)
Software Requirement
Operating Systems Windows:
v Windows Server 2008 R2 with and
without SP1 (both 32 and 64-bit
supported)
Note: The agent should be installed after the application you want to test is
successfully installed on the server.
Translated languages
Supported technologies
It's important to understand which of the technologies that are used by your site
might affect AppScan’s ability to scan the site, and which ones do not affect the
scan at all.
An AppScan scan consists of two main stages: Explore and Test. For each stage, the
table offers guidelines for understanding which server-side and client-side
technologies might affect the scan, and in which cases configuration is needed.
Table 4. Supported technologies
Server-side technologies Client-side technologies
Explore stage Any server-side technology The two main client-side
that does not affect the client technologies used today are
– such as the specific HTML5 and JavaScript, and
database used - does not both affect the Explore stage
affect the scan in any way. of the scan:
Chapter 3. Installing 29
Table 4. Supported technologies (continued)
Server-side technologies Client-side technologies
Test stage AppScan is designed to test Client-side testing is
the application and not its performed only on JavaScript
supporting technologies; they code. Currently, only plain JS
do not affect testing. To vulnerabilities are detected.
consider databases again:
AppScan’s suite of SQL JS Frameworks are not
Injection tests are supported; JS code that uses
independent of the database a framework might not be
used. It also offers specific properly analyzed.HTML5 is
tests for third-party testing fully supported.
(Common Vulnerabilities
testing).
Chapter 3. Installing 31
Using the local system user account during installation and
configuration
The Local System User Account must be a local Product Administrator on the
machine (does not have to be the service account). In the local security policy for
that machine, this user must have the following permissions:
v Access this computer from the network
v Allow logon locally
During installation and configuration, the Local System User Account requires
db_owner permissions on the SQL Server database to create a database and tables,
add users, run stored procedures, and grant rights. After installation and
configuration are completed, remove the database permissions from the Local
System User Account and assign them to the Service Account to handle all
interaction between AppScan Enterprise and the database.
Tip: If you upgrade AppScan Enterprise or rerun the configuration wizard (which
changes the database), give the Local System User Account the appropriate
database privileges.
1. The Local System User Account creates and structures the AppScan database on
the MS SQL Server.
2. The Local System User Account adds the database service to the database as
db_owner.
3. The Local System User Account initializes the database with necessary data.
Table 6. Using the Local System User Account as the installation account.
Permissions Descriptions
Make the local system user If there is some type of group policy that is deployed on
account a local administrator. the server that alters the local security policy of the
Log in as this account when you computer and revokes any of these rights after
are installing or maintaining the installation and configuration, AppScan Enterprise will
software. The local system user not work.
account must have the following
permissions in the local security
policy for the computer:
v Access this computer from the
network
v Log on as a service (this
permission is granted by the
Server Configuration wizard,
which is being run by a local
Product Administrator)
Chapter 3. Installing 33
Other user accounts
Table 7. Other user accounts.
Account Description
ASPNET account The ASPNET account must have the following
permissions on Drive:\\YourInstallFolder\IBM\
product name\ and all of its subfolders:
v Read and Execute
v Write
v Delete
v Impersonate a client after authentication
Internet Guest account The Internet Guest account must have the following
permissions on Drive:\\YourInstallFolder\IBM\
product name\ and all of its subfolders:
v Read and Execute
v Write
Related information:
Chapter 3. Installing 35
Table 8. Ports used by AppScan Enterprise (continued)
Port Component Protocol
9443 Liberty server in AppScan HTTPS
Enterprise v9.0.1 and later
(note that this port is
configurable in the
Configuration Wizard).
Note: Users must log off properly to release the license; closing the browser
will not release the license until two hours have passed.
1. Change the connection limit for the Monitor view by modifying the
session.timeout property (in milliseconds) in the <install-dir>\AppScan
Enterprise\Liberty\usr\servers\<ase instance name>\server.xml file.
2. Change the connection limit for the Folder Explorer view by modifying the
sessionState timemout property (in milliseconds) to be <sessionState
timeout="120"/> in the <install-dir>\IBM\AppScan Enterprise\WebApp\
web.config file.
v How to apply the licenses
v Common licensing scenarios
Chapter 3. Installing 37
Improved traffic performance for DAST scanning
In earlier versions of AppScan Enterprise, the DAST scan server wrote data into
the central database throughout the entire duration of the scan. This consumed a
lot of resources on the database server, which affected the Web UI performance
and greatly limited the number of scans that could run simultaneously on a scan
server. There were also latency concerns depending on where the scan server was
located in relation to the database server.
As of AppScan Enterprise version 8.7, scan data is now written into a local built-in
database on the DAST scan server. At the end of the scan, data is transferred to the
central SQL Server database which resides on the AppScan Enterprise Server. The
increase in network traffic between the scan server and the target application
reduces the network bandwidth between the scan server and the database. This
improves the performance of the Web UI, enables organizations to run more
simultaneous scans on a single scan server, and addresses the latency concerns
when the scan server is located far from the database server.
The following benchmarks are based on a dynamic analysis scan of a test website
'Altoro Mutual' (demo.testfire.net). The web application is hosted in Texas, USA;
the DAST scan server and the SQL Server database are hosted in Ottawa, Canada.
The test scan was completed by AppScan Enterprise 8.7 in 41 minutes, covered 688
pages, and included 21,068 unique security tests.
The specifications of the computer that hosted the DAST scanner are:
v Windows 2008 R2 SP1
v 2 CPU 4G RAM
Table 9. Network traffic data
KB/second Bytes KB/second
Server Total bytes Bytes sent sent received received
SQL Database 167,471,086 81,546,724 258.6 85,924,362 272.5
Server
DAST Scan 329,359,220 112,187,145 355.8 217,172,075 688.8
Server
Web Server 161,890,890 135,628,107 472.5 26,262,783 91.5
The total traffic usage between the SQL Database Server and the DAST scan server
is 81,546,724 (Bytes sent) +85,924,362 (Bytes received) =167,471,086 bytes.
The total traffic usage between the DAST scan server and the Web Server is
135,628,107 (Bytes sent) +26,262,783 (Bytes received) =161,890,890 bytes.
Preinstallation tasks
Before you install AppScan Enterprise, you will need to prepare and configure
your system.
Preinstallation checklist
You must take certain steps before you install AppScan Enterprise.
Table 10. Preinstallation checklist
Check when
Task complete
Install and configure your SQL Server database. h
Create a “Service Account” on page 155. Make sure the service h
account works on each machine where the Scanner and Server are
going to be installed. See “Required user account information during
installation and configuration” on page 30.
Attach the service account with appropriate privileges to access the h
SQL Server database.
Log in to the Rational License Key Center to get your license keys for h
AppScan Enterprise.
Find out the MAC id and disk id of the server where the Rational h
License Server is installed.
Import licenses into the Rational License Server. h
Set up your LDAP accounts. Identify your users and groups. h
Chapter 3. Installing 39
Table 10. Preinstallation checklist (continued)
Check when
Task complete
If you are upgrading to v9.0.1 or higher, read “Replacing Jazz Team h
Server with WebSphere Liberty - Frequently asked questions” on page
114 before you begin upgrading.
If you are upgrading to v9.0.1 or higher and need to migrate Jazz h
Team Server users to use the Liberty authentication method, export a
.csv file of users by using the cd <install-dir>\Appscan
Enterpise\JazzTeamServer\server\ repotools-jts.bat -exportUsers
toFile=C:\users.csv repositoryURL=https://<hostname>:9443/jts
before you begin upgrading to v9.0.1 or higher. Then follow the steps
that are documented in Configuring a basic user registry for the
Liberty profile to import the users into Liberty.
If you don't have a server certificate, create one from your certificate h
authority to use with Liberty. See “Using a certificate in your
certificate store with Liberty” on page 42.
Set up security on SQL Server. On the Enterprise edition, enable h
Transparent Data Encryption (TDE). On the Standard version, use
Encrypting File System (EFS).
Export your server certificate from IIS as a .pfx file, and give it a h
password. It contains information that you need to use during
configuration to ensure AppScan Enterprise works with WebSphere
Application Server Liberty Core. If you don't have a server certificate,
create one from your certificate authority.
If you plan to import scan templates from AppScan Standard, disable h
Enhanced Security on Windows Server 2008, 2008 R2, and 2012 so that
AppScan Enterprise can log in to applications. See “Disabling Internet
Explorer Enhanced Security Configuration on Windows Server 2008,
2008 R2, and 2012” on page 41.
Download the installation media from PassPort Advantage. h
Note: If your environment uses a named SQL Server instance for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL Server
configuration manager, and restart the SQL services for SQL Server and SQL Server
browser. For example, if you specify the instance name as:SQL Server or
Server\Instance name: <sql_server_host>\<sql_server_instance> instead of SQL
Server or Server\Instance name: <sql_server_host>.
If your configuration uses Microsoft SQL Server Standard Edition, and you plan to
encrypt your AppScan Enterprise databases, then this procedure needs to be
performed before you install AppScan Enterprise.
Related information:
The following procedure assumes that IIS7 is already installed on the server. See a
list of prerequisite IIS features in the system requirements.
Procedure
1. On the Windows 2008 Server, go to Start > Control Panel > Programs and
Features.
2. Click Turn Windows features on or off in the Tasks panel.
3. In the Contents view, click Roles.
4. Click Add Role Services in the Role Services section.
5. Select the Static Content role service.
6. Expand Management Tools (Installed), select the IIS6 Management
Compatibility check box, and click Install.
What to do next
Install a valid security certificate into IIS.
v For IIS6: See Install a Server Certificate (IIS 6.0)
v For IIS7: See Configuring Server Certificates in IIS 7
Procedure
1. On Windows Server 2008 or 2008 R2:
a. Open the Server Manager (Start > Server Manager).
b. In the Security Information section, click Configure IE ESC.
c. In the Internet Explorer Enhanced Security Configuration window, disable
the IE ESC for Administrators and Users, and click OK.
2. On Windows Server 2012:
a. Start the Server Manager (Server Manager > Local Server).
Chapter 3. Installing 41
b. In the Properties section, scroll to the right until you see this option: IE
Enhanced Security Configuration, and toggle the setting to Off.
c. In the Internet Explorer Enhanced Security Configuration window, disable
the IE ESC for Administrators and Users, and click OK.
Note: In the Server Manager, you will notice that the setting has not
changed. Press F5 to refresh the screen to see that the setting has turned off.
Procedure
1. Add the Desktop Experience feature:
a. On the Windows Server 2012 computer, open Server Manager from the
taskbar or from the Start menu.
b. In the Dashboard section, click Add roles and features.
c. In the Add Roles and Features wizard, select Server Selection > Features.
d. In the Features list, select User Interfaces and Infrastructure > Desktop
Experience.
e. Click Next, and then click Install and respond to the wizard prompts to
complete the wizard.
2. Enable the Flash Player in Microsoft Internet Explorer. Follow the instructions
at http://forums.adobe.com/thread/885448.
3. Disable the ActiveX filtering in Internet Explorer. Follow the instructions at
http://forums.adobe.com/thread/867968.
Procedure
1. Go to Passport Advantage and sign in using your IBM ID and password.
Note: Here are some useful videos on using Passport Advantage Online.
2. In the Find by search text field, enter AppScan Enterprise Server <version>
and download this eAssembly for your particular operating system: IBM
Security AppScan Enterprise Server <version> Multiplatform, Multilingual.
3. Go back to the search page, and in the Find by search text field, enter AppScan
Enterprise Dynamic Analysis Scanner <version> and download this
eAssembly for your particular operating system: IBM Security AppScan
Enterprise Dynamic Analysis Scanner <version> Windows Multilingual.
Procedure
1. Optional: If you don't have a server certificate, create one from your certificate
authority.
a. Generate a certificate request to send to your external certificate authority.
Chapter 3. Installing 43
6. Finish the configuration wizard.
Installation tasks
This section provides the instructions for installing AppScan Enterprise.
Installation checklist
As you install AppScan Enterprise, review and complete all of the necessary tasks
on the installation checklist.
Table 11. Installation checklist
Check when
Task complete
Install AppScan Enterprise Server (User Administration and Enterprise h
Console components).
Run the Configuration Wizard. h
Verify the installation (Log in to the Enterprise Console). h
Run default settings wizard on console server. h
(If using distributed topology) Install Dynamic Analysis Scanner on h
the required number of machines.
Run the Configuration Wizard. h
Verify the installation. h
Note:
1. This scenario assumes that the SQL Server database is installed and configured
so that key information is available during configuration of AppScan Enterprise
Server.
2. If you already have a Rational License Key Server that is deployed on your
network, skip to the “Installing IBM Security AppScan Enterprise Server” on
page 47 task.
3. If you are upgrading from a previous version of AppScan Enterprise, read
“Replacing Jazz Team Server with WebSphere Liberty - Frequently asked
questions” on page 114 before you begin upgrading.
4. To migrate Jazz Team Users users to this new authentication method, export a
.csv file of users by using the cd <install-dir>\Appscan Enterpise\
JazzTeamServer\server\ repotools-jts.bat -exportUsers
toFile=C:\users.csv repositoryURL=https://<hostname>:9443/jts before you
begin upgrading to v9.0.1. Then follow the steps in this topic: Configuring a
basic user registry for the Liberty profile to import the users into Liberty.
The Rational License Key Server is used for hosting your AppScan Enterprise
Server license. If you do not have a Rational License Key Server on your network,
you can install it locally when you install AppScan Enterprise Server.
If you already have a supported version of Rational License Server that is installed,
you can skip the portion of these instructions that cover Rational License Server
installation - and proceed to the portion of the instructions that covers starting
License Key Administrator and importing your license.)
Chapter 3. Installing 45
Procedure
1. Go to the directory where you downloaded the executable file
(AppScanEnterpriseServerSetup_<version>.exe) and double-click the file. (The
Rational License Key Server is bundled in this .exe file.)
17. After you confirm the license or licenses to import, the Restart License Server
dialog box will open. Click Yes to restart the license server. If the License
Server service fails to start, open the Windows Services administrative tool. In
the tool, locate FLEXlm License Manager and start it.
Results
Use this procedure to install the User Administration component and Enterprise
Console for reporting and user administration tasks.
Chapter 3. Installing 47
Before you begin
Make sure you read “Required user account information during installation and
configuration” on page 30 so that you know which user account to use during
installation.
If you have a Rational License Key Server that is already deployed elsewhere on
your network, start at Step 1; otherwise start at Step 2.
Procedure
1. Go to the directory where you downloaded the compressed file
(AppScanEnterpriseServerSetup_<version>.zip), extract the files, and
double-click the AppScanEnterpriseServerSetup_<version>.exe file.
Note: It might take a while for the next screen to display. The compressed file
includes these files:
v AppScanEnterpriseServerSetup_<version>.exe
v IBM Security AppScan Enterprise Server.msi - do not run this file
v Data1.cab
2. If you do not already have Rational License Key Server that is installed on your
network, install it when prompted, and follow the procedure in the Installing
Rational License Key Server task. Otherwise, click No.
3. In the Setup wizard Welcome screen, click Next.
4. In the License Agreement window, select the I accept the terms in the license
agreement option, and click Next.
5. In the Destination Folder window, do one of the following actions and click
Next:
a. Click Next to accept the default installation location.
b. Click Change to select a different installation location.
6. In the Ready to Install the Program window, click Install to proceed with the
installation.
7. On the Setup Wizard Completed screen, click Finish to launch the
Configuration Wizard.
After you install or upgrade the Server or Scanner, you must configure each
installed component and run the Configuration wizard on all instances and on all
servers.
Procedure
1. When the installation is complete, the Configuration wizard launches
automatically. You can also start it by selecting Configuration Wizard from
the Windows Start menu.
2. In the Welcome screen, click Next.
3. In the License Server window, specify the Rational License Server to use for
licenses. See “License Server” on page 153.
Chapter 3. Installing 49
Do not check the AppScan Source standalone evaluation check box.
4. In the Server Components window, select the components that you want to
configure. The components available to you depend on your license. See
“Server Components” on page 154. If you are installing the components on
one machine, select all the check boxes, even if you have installed one of
the components previously.
Chapter 3. Installing 51
7. In the Database Connection window, enter the SQL Server name, port number,
and the name of the database you are connecting to. You can click Test
Connection to make sure you can connect to the SQL Server. The
configuration wizard does not proceed until the connection is successful.
When AppScan Enterprise Server creates the database in SQL Server, it
automatically configures the collation for it.
9. (Upgrade only). In the Restore AppScan Server Settings screen, you can
choose to restore previous AppScan Server customized settings on the Liberty
Server (default). This screen appears once upon upgrade; if you run the
configuration wizard later, this screen won't appear. See Restore AppScan
Server settings.
Chapter 3. Installing 53
10. In the Server Keystore screen, select a server keystore to be used by the
Enterprise Console. If you exported a .pfx file, select Public key cryptography
standards #12 (PKCS #12). Browse to the location where you saved the .pfx
file, import it and enter the password you created when you exported the file.
See “Server Keystore” on page 156.
Chapter 3. Installing 55
Note: If you need to authenticate with the Common Access Card (CAC), make
sure you choose LDAP as your authentication mechanism. Once AppScan
Enterprise is configured, follow the instructions in “Authenticating with the
Common Access Card (CAC)” on page 102 to authenticate with CAC.
12. In the Server Configuration window,
Chapter 3. Installing 57
Note: AppScan Enterprise uses transparent data encryption (TDE) technology
that is available in SQL Server 2008 and later. TDE encrypts the data that is
stored in the database or in backups on physical media. If you are using an
older version of SQL Server, any data that is contained in that database is at
risk of compromise by unauthorized access.
14. In the Product Administrator window, specify a user as Product
Administrator. This user is licensed separately; if you want to reassign the
Product Administrator license, you must rerun the configuration wizard. See
“Product Administrator” on page 157.
Note:
a. IIS AppPool settings on Windows 2008 Server R2 are set during
configuration:
v IIS recycling is set at 2:00am
v Idle timeout is set at 120 minutes
b. If you see an error message that the proxy server certificate cannot be
configured, it might be expired. Contact your Product Administrator to
investigate further.
16. Optional: Select the Start the Services check box to automatically start the
services.
Note: If you do not choose to automatically start the agent service, the agents
do not pick up any jobs that are created by users. You can manually start the
service by using the Administrative tools; see “Verifying the agent service and
alerting service installation” on page 88.
17. Run the Default Settings Wizard. This wizard helps you to install sample
data in by providing defaults for a number of configurable options.
18. Click Exit.
This wizard helps you install sample data in by providing defaults for a number of
configurable options. You can create users, add security test policies, create scan
Chapter 3. Installing 59
templates, add pre-created dashboards, and configure defect tracking integration
with Rational Quality Manager or Rational Team Concert.
Ensure that the Launch Default Settings Wizard check box is selected when the
Configuration wizard finishes.
Procedure
1. In the Welcome page, choose the instance that you want to update, and click
Next.
2. In the Initialization Type window, select one of the available initializations, and
click Next.
3. In the Default Setting window, configure the following options and click Next:
a. Instance: Select the instance name for this setup. The Instance that was
configured in the Configuration wizard is selected here by default.
b. Contact: The name or a point of contact for the items that are created by the
wizard. You can edit these items later if necessary.
c. Root folder name: Enter a name for the default root folder. The default
folder acts as the root folder for all other folders you create.
d. Application URL: Enter the URL for the application users to access the
application. By default, this URL is the current computer's FQDN (fully
qualified domain name). (for example, http://myserver/mydomain/appscan/
).
4. (Windows authentication only): In the LDAP Settings page, select the Enable
LDAP check box if you use an LDAP server.
a. In the Server Name field, enter the LDAP group name.
b. In the Group Query field, enter the path of the group query that is used to
retrieve user group information. You can use an LDAP server or an Active
Directory server.
c. Optional: If you want to integrate with the LDAP server by using
anonymous access, select the Anonymous access check box. This option is
disabled by default.
d. Click Test LDAP to confirm the configuration works.
5. In the IP Security Permissions page, configure the IP addresses and ranges that
are allowed for scanning. Use a dash to define IPv4 ranges (such as 1.2.3.4–);
use a prefix to define IPv6 ranges (such as fe80::/10).
6. In the Populate Database with Sample Data page, select the Populate Sample
Data check box to populate the database with scan templates, pre-created
dashboards, server groups, and test policies.
7. Click Next. The Default Settings Wizard Progress page opens, displaying the
setup's progress.
8. When the wizard is complete, the Default Settings Wizard Complete page
opens.
9. Click Exit to close the wizard.
Use this procedure to install the agents that are used for scanning and testing your
website applications.
Note:
1. Make sure you read “Required user account information during installation
and configuration” on page 30 so that you know which user account to use
during installation.
2. Any technologies that you use on your website must also be installed with the
Scanner. For example, if you use Flash on any web pages, you must have the
correct version of Flash installed.
Procedure
1. Go to the directory where you downloaded the executable file
(ASE_DASSetup_<version>.exe) and double-click the file.
Note: Approximately 330 MB is required for the Web Services Explorer – GSC
(Generic Service Client tool) version 8.1 that is used to test Web Services for
security vulnerabilities
4. In the Destination Folder window, click Next.
5. In the Ready to Install the Program window, click Install to proceed with the
installation, and then click Finish.
Results
Chapter 3. Installing 61
Running the Configuration wizard:
After you install or upgrade the Server or Scanner, you must configure each
installed component and run the Configuration wizard on all instances and on all
servers.
Procedure
1. When the installation is complete, the Configuration wizard launches
automatically. You can also start it by selecting Configuration Wizard from
the Windows Start menu.
2. In the Welcome screen, click Next.
3. In the License Server window, specify the Rational License Server to use for
licenses. See “License Server” on page 153.
Chapter 3. Installing 63
7. In the Database Connection window, enter the SQL Server name, port number,
and the name of the database you are connecting to. You can click Test
Connection to make sure you can connect to the SQL Server. The
configuration wizard does not proceed until the connection is successful. Enter
the database name. When AppScan Enterprise Server creates the database in
SQL Server, it automatically configures the collation for it.
Note:
a. IIS AppPool settings on Windows 2008 Server R2 are set during
configuration:
v IIS recycling is set at 2:00am
v Idle timeout is set at 120 minutes
Chapter 3. Installing 65
b. If you see an error message that the proxy server certificate cannot be
configured, it might be expired. Contact your Product Administrator to
investigate further.
10. Optional: Select the Start the Services check box to automatically start the
services.
Note: If you do not choose to automatically start the agent service, the agents
do not pick up any jobs that are created by users. You can manually start the
service by using the Administrative tools; see “Verifying the agent service and
alerting service installation” on page 88.
11. Click Exit.
After the installation process is complete, you can verify the installation of the
Enterprise Console.
Procedure
Note:
1. This scenario assumes that you have installed and configured the SQL Server
Database so that key information is available during configuration of AppScan
Enterprise Server.
2. If you already have a Rational License Key Server deployed on your network,
skip to the “Installing AppScan Enterprise Server on Machine B” on page 69
task.
3. If you are upgrading from a previous version of AppScan Enterprise, read
“Replacing Jazz Team Server with WebSphere Liberty - Frequently asked
questions” on page 114 before you begin upgrading.
The Rational License Key Server is used for hosting your AppScan Enterprise
Server license. If you do not have a Rational License Key Server on your network,
you can install it locally when you install AppScan Enterprise Server.
If you already have a supported version of Rational License Server that is installed,
you can skip the portion of these instructions that cover Rational License Server
installation - and proceed to the portion of the instructions that covers starting
License Key Administrator and importing your license.)
Procedure
1. Go to the directory where you downloaded the executable file
(AppScanEnterpriseServerSetup_<version>.exe) and double-click the file. (The
Rational License Key Server is bundled in this .exe file.)
Chapter 3. Installing 67
14. Start the IBM Rational License Key Administrator from the Windows Start
menu (in the Programs menu, launch IBM Rational > License Key
Administrator).
15. When the IBM Rational License Key Administrator starts, you are prompted
with the License Key Administrator wizard (if the wizard does not open
automatically, select License Keys > License Key Wizard from the main
menu). In this wizard, select Import a Rational License File and then click
Next.
16. In the Import a License File panel, click Browse and then browse to your
AppScan Enterprise Server license file. Open the file with the browse dialog
box and then click Import. This table maps the license names in LKAD to the
license types in AppScan Enterprise.
Table 13. AppScan Enterprise licenses
License What it is for
AppScan Enterprise Dynamic Analysis Dynamic Analysis Scanner
Scanner Per Install License Key
AppScan Enterprise Dynamic Analysis User Authorized Scanning
Authorized User Single Install License Key
AppScan Enterprise Dynamic Analysis User Floating Scanning
Floating User Single Install License Key
AppScan Enterprise Server Basic Per Install Enterprise Server Basic
License Key
AppScan Enterprise Server Per Install Enterprise Server Premium
License Key
Appscan Enterprise Edition Reporting Only Authorized Reporting
User Authorized User Single Install License
Key
Appscan Enterprise Edition Reporting Only Floating Reporting
User Floating User Single Install License Key
17. After you confirm the license or licenses to import, the Restart License Server
dialog box will open. Click Yes to restart the license server. If the License
Server service fails to start, open the Windows Services administrative tool. In
the tool, locate FLEXlm License Manager and start it.
Use this procedure to install the User Administration component and Enterprise
Console for reporting and user administration tasks.
Make sure you read “Required user account information during installation and
configuration” on page 30 so that you know which user account to use during
installation.
If you have a Rational License Key Server that is already deployed elsewhere on
your network, start at Step 1; otherwise start at Step 2.
Procedure
1. Go to the directory where you downloaded the compressed file
(AppScanEnterpriseServerSetup_<version>.zip), extract the files, and
double-click the AppScanEnterpriseServerSetup_<version>.exe file.
Note: It might take a while for the next screen to display. The compressed file
includes these files:
v AppScanEnterpriseServerSetup_<version>.exe
v IBM Security AppScan Enterprise Server.msi - do not run this file
v Data1.cab
Chapter 3. Installing 69
2. If you do not already have Rational License Key Server that is installed on your
network, install it when prompted, and follow the procedure in the Installing
Rational License Key Server task. Otherwise, click No.
3. In the Setup wizard Welcome screen, click Next.
4. In the License Agreement window, select the I accept the terms in the license
agreement option, and click Next.
5. In the Destination Folder window, do one of the following actions and click
Next:
a. Click Next to accept the default installation location.
b. Click Change to select a different installation location.
6. In the Ready to Install the Program window, click Install to proceed with the
installation.
7. On the Setup Wizard Completed screen, click Finish to launch the
Configuration Wizard.
Results
After you install or upgrade the Server or Scanner, you must configure each
installed component and run the Configuration wizard on all instances and on all
servers.
Procedure
1. When the installation is complete, the Configuration wizard launches
automatically. You can also start it by selecting Configuration Wizard from
the Windows Start menu.
2. In the Welcome screen, click Next.
3. In the License Server window, specify the Rational License Server to use for
licenses. See “License Server” on page 153.
4. In the Server Components window, select the components that you want to
configure. The components available to you depend on your license. See
“Server Components” on page 154. If you are installing the components on
one machine, select all the check boxes, even if you have installed one of
the components previously.
Chapter 3. Installing 71
5. In the Instance Name window, specify the name of the instance you want to
configure. See “Instance Name” on page 154.
Chapter 3. Installing 73
Note:
a. If you are upgrading an existing database from v8.6 or earlier, enter the
Database Master Key Password on the next screen to access it. Keep this
password in a secure location.
b. If your environment uses a named SQL Server instance for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL Server
configuration manager, and restart the SQL services for SQL Server. Use
the port number of the named SQL Server instance instead of the default
port number (1443).
8. In the Server Certificate window, choose a certificate specific to your
organization. This step helps you deploy a secure AppScan Enterprise in your
environment. See “Server Certificate” on page 156.
9. (Upgrade only). In the Restore AppScan Server Settings screen, you can
choose to restore previous AppScan Server customized settings on the Liberty
Server (default). This screen appears once upon upgrade; if you run the
configuration wizard later, this screen won't appear. See Restore AppScan
Server settings.
Chapter 3. Installing 75
11. In the Authentication Mechanism window, select an Authentication
Mechanism to use to log in to the Enterprise Console. The default is to
authenticate via Windows. To use LDAP, see “Authentication Mechanism” on
page 157.
Chapter 3. Installing 77
a. Configure the host name and port of the Liberty server for AppScan Server
to use. If you are using Windows authentication, prefix the host name with
your domain name.
b. While it is not a recommended practice, you can allow SSL connections
with invalid or untrusted certificates during scanning. When the option is
disabled, messages will appear in the scan log to indicate that the insecure
server could not be reached for scanning. This option also affects the
Manual Explore functionality.
Chapter 3. Installing 79
15. Ensure that nobody is accessing the database, and click Finish in the
Specifications Complete window to complete the configuration. This process
might take awhile.
Note:
a. IIS AppPool settings on Windows 2008 Server R2 are set during
configuration:
v IIS recycling is set at 2:00am
v Idle timeout is set at 120 minutes
b. If you see an error message that the proxy server certificate cannot be
configured, it might be expired. Contact your Product Administrator to
investigate further.
16. Optional: Select the Start the Services check box to automatically start the
services.
Note: If you do not choose to automatically start the agent service, the agents
do not pick up any jobs that are created by users. You can manually start the
service by using the Administrative tools; see “Verifying the agent service and
alerting service installation” on page 88.
17. Run the Default Settings Wizard. This wizard helps you to install sample
data in by providing defaults for a number of configurable options.
18. Click Exit.
This wizard helps you install sample data in by providing defaults for a number of
configurable options. You can create users, add security test policies, create scan
Ensure that the Launch Default Settings Wizard check box is selected when the
Configuration wizard finishes.
Procedure
1. In the Welcome page, choose the instance that you want to update, and click
Next.
2. In the Initialization Type window, select one of the available initializations, and
click Next.
3. In the Default Setting window, configure the following options and click Next:
a. Instance: Select the instance name for this setup. The Instance that was
configured in the Configuration wizard is selected here by default.
b. Contact: The name or a point of contact for the items that are created by the
wizard. You can edit these items later if necessary.
c. Root folder name: Enter a name for the default root folder. The default
folder acts as the root folder for all other folders you create.
d. Application URL: Enter the URL for the application users to access the
application. By default, this URL is the current computer's FQDN (fully
qualified domain name). (for example, http://myserver/mydomain/appscan/
).
4. (Windows authentication only): In the LDAP Settings page, select the Enable
LDAP check box if you use an LDAP server.
a. In the Server Name field, enter the LDAP group name.
b. In the Group Query field, enter the path of the group query that is used to
retrieve user group information. You can use an LDAP server or an Active
Directory server.
c. Optional: If you want to integrate with the LDAP server by using
anonymous access, select the Anonymous access check box. This option is
disabled by default.
d. Click Test LDAP to confirm the configuration works.
5. In the IP Security Permissions page, configure the IP addresses and ranges that
are allowed for scanning. Use a dash to define IPv4 ranges (such as 1.2.3.4–);
use a prefix to define IPv6 ranges (such as fe80::/10).
6. In the Populate Database with Sample Data page, select the Populate Sample
Data check box to populate the database with scan templates, pre-created
dashboards, server groups, and test policies.
7. Click Next. The Default Settings Wizard Progress page opens, displaying the
setup's progress.
8. When the wizard is complete, the Default Settings Wizard Complete page
opens.
9. Click Exit to close the wizard.
After the installation process is complete, you can verify the installation of the
Enterprise Console.
Chapter 3. Installing 81
Procedure
Use this procedure to install the agents used for scanning and testing your website
applications. You can install the Scanner on multiple machines.
Note:
1. Make sure you read “Required user account information during installation
and configuration” on page 30 so that you know which user account to use
during installation.
2. Any technologies that you use on your website must also be installed with the
Scanner. For example, if you use Flash on any web pages, you must have the
correct version of Flash installed.
Procedure
1. Go to the directory where you downloaded the executable file
(ASE_DASSetup_<version>.exe) and double-click the file.
Note: Approximately 330 MB is required for the Web Services Explorer – GSC
(Generic Service Client tool) version 8.1 that is used to test Web Services for
security vulnerabilities
4. In the Destination Folder window, click Next.
5. In the Ready to Install the Program window, click Install to proceed with the
installation, and then click Finish.
After you install or upgrade the Server or Scanner, you must configure each
installed component and run the Configuration wizard on all instances and on all
servers.
Procedure
1. Start the Configuration wizard by using one of these methods:
a. After installation, select the Launch Configuration Wizard check box in
the Setup Wizard Completed window.
b. From the Windows Start menu, select Configuration Wizard.
2. In the Welcome screen, click Next.
3. In the License Server window, specify the Rational License Server to use for
licenses. See “License Server” on page 153.
Chapter 3. Installing 83
4. In the Instance Name window, specify the name of the instance you want to
configure. See “Instance Name” on page 154.
Chapter 3. Installing 85
Note:
a. If you are upgrading an existing database from v8.6 or earlier, enter the
Database Master Key Password on the next screen to access it. Keep this
password in a secure location.
b. If your environment uses a named SQL Server instance for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL Server
configuration manager, and restart the SQL services for SQL Server. Use
the port number of the named SQL Server instance instead of the default
port number (1443).
7. (upgrade only) In the Database Encryption Changes window, click Help to
learn how to protect the SQL Server where the database is located. If you
decide not to enable TDE, select the check box so you can continue
configuration.
Note:
a. IIS AppPool settings on Windows 2008 Server R2 are set during
configuration:
v IIS recycling is set at 2:00am
v Idle timeout is set at 120 minutes
Note: If you do not choose to automatically start the agent service, the agents
do not pick up any jobs that are created by users. You can manually start the
service by using the Administrative tools; see “Verifying the agent service and
alerting service installation” on page 88.
10. Click Exit.
Procedure
1. On the Linux computer, log in with root access privileges.
2. Type ls -l AppScanServerSetup_9.0.3.bin. Make sure that you see
-rwxrwxr-x in the result listing.
3. Run the .bin file. Type ./AppScanServerSetup_9.0.3.bin, and click Enter to
start the installer.
4. Pick a language for installation and click OK > Next.
5. Accept the terms of the license agreement.
6. Choose an installation folder (the default location is /opt/IBM/
AppScan_Server).
7. Review the installation summary and click Install. The files are copied onto
the Linux computer.
8. Configure the Liberty Server name, port number (the default is 9443), and the
Rational License Server name. Click Next.
9. Configure the LDAP settings. Select an LDAP server type. Some of the LDAP
configuration fields are pre-populated for you. Check that they are correct for
your environment.
a. If your LDAP server supports SSL, select the Connect to LDAP server
using SSL check box.
b. Enter the LDAP server host name and port (389 is default), and the Base
DN.
c. If you need to be authenticated on the LDAP server, enter the Bind DN
and the Bind password. Click Next.
10. Configure the product administrator’s user name, and click Next. After the
Liberty service is configured, the installation is complete.
Results
Chapter 3. Installing 87
Postinstallation checklist
After you install AppScan Enterprise, review and complete all of the necessary
tasks on the postinstallation checklist.
Table 14. Postinstallation checklist
Check when
Task complete
Verify the agent service and alerting service installation h
Secure the deployment. h
Enable FIPS or enable NIST. (Federal government agencies) h
If you installed Server components on different machines, you must verify that the
services are started on each one.
Procedure
1. Using the Control Panel or the Start Menu, select Administrative Tools >
Services.
2. In the list of services, select Agent Service. If the service was properly installed
and started, a Started status will be displayed in the Status column. If this is not
the case, you can start the service by right-clicking the service name and
selecting Start.
3. Repeat Step 2 for the Alert Service.
http://www.ibm.com/support/knowledgecenter/de//SSAW57_8.5.5/
com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_basic_registry.html
Procedure
1. During configuration, choose a certificate specific to your organization in the
Server Certificate dialog.
2. To secure IIS on the Enterprise Console Server:
a. Disable WebDAV.
b. Disable the EnableTraceMethod. This method determines whether IIS
recognizes the HTTP TRACE method. The TRACE method is used to invoke
Procedure
1. In Internet Explorer, navigate to AppScan Enterprise and choose to proceed
when you get the certificate warning.
2. Right-click on the page, choose properties, click Certificates.
3. Select Install Certificate and click Next.
4. Select Place all certificates in the following store, and click Browse.
5. Select Show physical stores.
6. Select Trusted Root Certification Authorities > Local Computer.
7. Click Next > Finish.
Incorrectly editing the registry may severely damage your system. Before making
changes to the registry, you should back up any valued data on your computer.
Procedure
1. Open the Registry Editor (Start > Run > regedit).
2. In the HKEY_LOCAL_MAC HINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\SCHANNEL\Ciphers directory:
a. Create a new key called RC4 128/128 (Ciphers > New > KeyRC4 128/128).
b. Right-click the key's name and create a new DWORD (32-bit) Value called
'Enabled'. (New > DWORD (32-bit) Value > Enabled).
c. Leave the default value as '0'.
3. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\SCHANNEL\Hashes directory:
a. Create a key called MD5 (Hashes > New > Key > MD5).
b. Right-click the key's name and create a new DWORD (32-bit) Value called
'Enabled'. (New > DWORD (32-bit) Value > Enabled).
c. Leave the default value as '0'.
4. Close the Registry Editor.
Chapter 3. Installing 89
a Certificate Authority (CA) might be protected with algorithms that are not
provided with the limited policy files in Java SDK 7.0. Before you replace
self-signed certificates with CA-issued certificates, update your Java SDK policy
files.
The unrestricted JCE policy files that are provided in the policy file update can
ensure that you have the correct algorithms for CA-issued certificates.
Procedure
1. Use a browser to go to http://www.ibm.com/developerworks/java/jdk/
security/index.html.
2. Click Java SE 7.
3. On the website that launches, click IBM SDK Policy files in the table of
contents and then ibm.com® on the page that opens in the content pane.
4. On the website, enter your IBM®.com ID and password.
5. Select Files for Java 5.0 SR16, Java 6 SR13, Java 6 SR5 (J9 VM2.6), Java
7 SR4, and all later releases and click Continue.
6. View the license, check I agree, and click I confirm.
7. Click Download now.
8. Extract the unlimited jurisdiction policy files that are packaged in a
compressed file. The compressed file contains a US_export_policy.jar file and
a local_policy.jar file.
9. On the server where AppScan Enterprise is installed, back up the following
files:
v US_export_policy.jar
v local_policy.jar
When you secure the connection on the SQL Server computer, the SQL Server
encrypts its connection by using SSL. When the AppScan Enterprise Server tries to
connect to the SQL Server, the SQL Server lets the AppScan Enterprise Server
know that it's going to use an SSL connection during the initial handshake, and
they communicate that way. The AppScan Enterprise Server knows how to talk to
the SQL Server over SSL. The SQL Server uses the certificate to encrypt to
connection and exchanges that information with the AppScan Enterprise Server.
Procedure
1. On the computer that hosts SQL Server, create an SSL certificate:
a. Go to Control Panel > Administrative Tools > IIS Manager > Server
Certificates > Create Self-Signed Certificate.
b. Give the certificate a name, click OK and Export the certificate.
c. Close IIS Manager.
2. On the computer that hosts SQL Server, start MMC console (Start > Run >
mmc).
a. Go to File > Add/Remove Snap-in > Certificates > Add > Computer
account.
b. Select the computer that you want the snap-in to manage and click Finish >
OK.
c. Expand Certificates and right-click the Personal folder and go to All Tasks
> Import.
d. Follow the wizard instructions and import the certificate.
e. Close the MMC Console and restart the SQL service.
Important: Make sure that the service account has access to certificates. It
might need to run as a local account.
3. Open SQL Server Configuration Manager:
a. Expand SQL Server Network Configuration right-click Protocols for <sql
server name> and then select Properties.
b. On the Flags tab, select Yes in the Force encryption box, and then click OK.
c. Select the certificate from the Certificate tab and click OK to close the
window.
d. Restart the SQL Server service.
4. If you are running SQL Server with a non-privileged service account, you must
enable the private key to be readable by the SQL Server service account. Follow
the steps in this article: Permissions required for SQL Server Service account
to use SSL certificate.
Note: Read these sections: "Few more tips while enabling the encrypted
connection" and "Permissions to the Private Key portion of the Imported
Certificate - FIX" in this article: Enable Encrypted Connections to the Database
Engine (SQL Server Configuration Manager).
Chapter 3. Installing 91
from these types of attacks, encrypting the data offers more protection by
preventing an attacker from reading the stolen files.
Encrypting the data is only effective if the attacker is not able to hijack computer
accounts or passwords that were used to protect the data in the first place. Data
that is stored in Microsoft SQL Server database files can be protected by using
various encryption methods, such as:
v Hard disk drive encryption
v Encrypted file system
v Transparent data encryption (TDE) - which is a feature of MS SQL Server 2008
Enterprise Edition
v Cell encryption, which is done by encrypting individual columns in the tables of
the database
Cell encryption is the method that is least dependent on the computer that hosts
the database server, and can be used by any application that has access to the
database because the data that is being written is encrypted by the application.
However, this method has a significant impact on the application performance, and
Microsoft cautions against using this method and suggests Transparent Data
Encryption (TDE) as the alternative.
For organizations that have not used any additional data encryption methods other
than what was provided through cell encryption by AppScan Enterprise, read the
information in the Related Links section about how to enable data encryption and
protect your data:
Related tasks:
“Enabling Transparent Data Encryption on SQL Server databases”
SQL Server has a built-in encryption TDE mechanism (Transparent Data
Encryption) encrypts the data residing in the database or in backups on physical
media.
“Encrypting, backing up, and restoring a SQL Server database with EFS” on page
96
The Encrypting File System (EFS) is a feature of Microsoft Windows that lets you
store information on your hard disk in an encrypted format. EFS enables
transparent encryption and decryption of files by using advanced, standard
cryptographic algorithms. Use this method to encrypt the database file if you have
SQL Server Standard Edition 2008, 2008 SP3, 2008 R2 SP2, 2012, and 2014.
TDE is only available on the Enterprise edition of Microsoft SQL Server 2008 and
higher. For the Standard edition option, read “Encrypting, backing up, and
restoring a SQL Server database with EFS” on page 96.
To enable TDE on SQL Server, you must have the normal permissions associated
with creating a database master key and certificates in the master database. You
must also have CONTROL permissions on the user database.
Procedure
1. Open the SQL Management Studio of your installation of SQL Server 2008,
2008R2, 2012, or 2014.
2. Connect to the database you want to encrypt. This will help ensure the
database has been created and is available.
3. Go to the location where you downloaded the EnableTDE.zip file. Extract the
file and open the script. (File > Open > File). You will notice several
commands that will be executed on the server.
4. Before you execute the script, you must set three fields for your environment.
In the comments section of the script, they are all marked with ‘ACTION
REQUIRED’ :
a. DECLARE @MKPassword: The Master Key Password used to create the
master key in the [master] database.
b. DECLARE @DatabaseName : The name of the database you want to enable
encryption on.
c. (Optional) DECLARE @BackupPassword: The Certificate Backup Password.
This password is used to secure the certificate backup and is required to
restore the certificate on another machine.
5. After the fields have been updated, launch the script (Query >Execute). “How
the script enables TDE on SQL Server” on page 94.
6. After the script has completed, the result will be displayed in the ‘Messages’
window of SQL Management Studio.
Note: You can also verify through SQL Management Studio. Right-click on
“Database Name->Tasks->Manage Database Encryption”. You will see that the
check box for ‘Set Database Encryption On’ is selected.
Chapter 3. Installing 93
Results
Important: Once completed, be sure to write down the passwords used in this
script, and make a copy of the certificate backup. The certificate backup consists of
two files, AppScanEntCert.bak and AppScanEntCert.pvk. They will be stored with
the database .mdf file, by default in the folder:
v (SQL 2014) C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\
MSSQL\DATA
v (SQL 2012) C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\
MSSQL\DATA
v (SQL 2008) C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\
MSSQL\DATA
v (SQL 2008 R2) C:\Program Files\Microsoft SQL Server\
MSSQL10_50.MSSQLSERVER\MSSQL\DATA
Related tasks:
“Moving a TDE-protected database to another SQL Server” on page 95
Follow these steps when you need to restore or move a TDE-protected database to
another server.
Related information:
The articles listed below provide further details that should be part of your SQL
Server database maintenance plan.
Related information:
Understanding Transparent Data Encryption (TDE)
Move a TDE Protected Database to Another SQL Server
SQL Server Certificates and Asymmetric Keys
SQL Server and Database Encryption Keys (Database Engine)
Follow these steps when you need to restore or move a TDE-protected database to
another server.
Procedure
1. Copy the two certificate files (AppScanEntCert.bak and AppScanEntCert.pvk)
that you created in the “Enabling Transparent Data Encryption on SQL Server
databases” on page 92 task to a location on your machine (for example,
C:\Certificate\).
2. Open the SQL Management Studio of your SQL Server 2008 or 2012
installation.
3. Go to the location where you downloaded the RestoreTDECertificate.zip file.
Unzip the file and open the script. (File > Open > File). You will notice several
commands that will be executed on the server.
4. Before you execute the script, you must set three fields for your environment
(they are all marked with ‘ACTION REQUIRED’ in the comments section of the
script):
v DECLARE @MKPassword: The Master Key Password used to create the
master key in the [master] database where you enabled TDE
v DECLARE @BackupPassword: The password that was used to back up the
certificate if it is different from @MKPassword
v DECLARE @Path: The path of the location that you copied the two files
AppScanEntCert.bak and AppScanEntCert.pvk
5. After the fields have been updated, click Query > Execute to launch the script.
Chapter 3. Installing 95
Results
After the script has completed, the result will be displayed in the ‘Messages’
window of SQL Management Studio. If you see the message: "The certificate is
restored successfully, you can restore the database.", you should be able to restore
the database on this SQL Server.
Encrypting, backing up, and restoring a SQL Server database with EFS:
The Encrypting File System (EFS) is a feature of Microsoft Windows that lets you
store information on your hard disk in an encrypted format. EFS enables
transparent encryption and decryption of files by using advanced, standard
cryptographic algorithms. Use this method to encrypt the database file if you have
SQL Server Standard Edition 2008, 2008 SP3, 2008 R2 SP2, 2012, and 2014.
Note:
v The service account can be the same or different than the one you use for
AppScan Enterprise.
v Use one service account to log in to the SQL Server service and to encrypt
any of the databases that are hosted through that service.
v The SQL Server service account will be referred to as 'the service account' in
these instructions.
2. Located the filepath of the database, if different than the default locations listed
here. You will need this information for step 3. You can find the default
location by opening Microsoft SQL Server Management Studio. Right-click the
SQL Server that hosts the database. Click Properties > Database settings >
Database default locations.
This procedure must be completed before you run the configuration wizard;
otherwise, you won't be able to access the database. See “Configuring the SQL
Server database for AppScan Enterprise” on page 40.
Procedure
1. Go to Start > Administrative Tools > Services and stop the SQL Server service
that hosts the AppScan Enterprise database you are going to encrypt. The
default service is SQL Server (MSSQLSERVER).
2. Right-click the name of the service to open the properties dialog. On the Log
on tab, select This account, enter the credentials of the service account, and
then click OK.
3. In Windows Explorer, right-click the folder where the database resides, and go
to Properties > Security to give the service account Read and execute and read
access to both the <databasename.mdf> file and the parent folder.
Note:
If the folder is not encrypted yet, select Apply changes to this folder,
subfolders and files when prompted. If you select this option after you run the
Server Configuration Wizard, then the database is not encrypted. If this process
is applied to the database and the corresponding log file after the Server
configuration wizard is run, then the database might get into a "Recovery
Pending" state. Then, the encrypted database is not accessible in SQL Server
Management tools and AppScan Enterprise.
5. In the Services window, start the SQL Server that hosts the AppScan Enterprise
database.
Results
Note: Only the user who encrypted the file can decrypt it. You can determine who
encrypted specific files in the Details section on the Properties > Advanced
Attributes window. The backup of the encrypted database will NOT be encrypted
automatically. Follow the steps in Backing up and restoring an EFS-encrypted
database.
Procedure
1. In Windows Explorer, expand the folder where the database backup resides,
and give the service account Read and execute and read access to the
<databasename.bak> file.
Note: The credentials of the user that is logged in will be used to encrypt the
database. If you are not logged in as the service account, do that now.
2. Right-click the <databasename.bak> file and go to Properties > General >
Advanced > Encrypt contents to secure data, and click OK.
Chapter 3. Installing 97
Detaching, encrypting, and attaching a database encrypted with EFS:
There might be times when you do not want to stop the SQL Server service during
database encryption; for example, when there are several databases running on
that service and you do not want them to be unavailable. You can detach, encrypt,
and attach the database instead.
'The service account' must be used to log in to the SQL Server service and to
encrypt any other databases on the same SQL Server.
Procedure
1. Go to Start > Administrative Tools > Services and stop the SQL Server
service that hosts the AppScan Enterprise database you are going to encrypt.
The default service is SQL Server (MSSQLSERVER).
2. Right-click the name of the service to open the properties dialog. On the Log
on tab, select This account, enter the credentials of the service account, and
then click OK.
3. In the Services window, start the SQL Server that hosts the AppScan
Enterprise database.
4. In Windows Explorer, right-click the <databasename.mdf> file and go to
Properties > General > Advanced > Encrypt contents to secure data, and
click OK.
5. Open Microsoft SQL Server Management Studio and connect to the SQL
Server that serves that database.
6. Under the 'Databases' tree, right-click the database you want to encrypt and
click Tasks > Detach.
7. In the Detach Database window, if there are open connections, select the Drop
Connections check box and click OK.
8. In Windows Explorer, right-click the <databasename.mdf> file and go to
Properties > General > Advanced > Encrypt contents to secure data, and
click OK.
9. Repeat Steps 3 and 4 for the <databasename.ldf> file.
10. In Microsoft SQL Server Management Studio, right-click the Databases tree,
and choose Attach.
11. In the Attach Databases window, click Add and navigate to the encrypted
<databasename.mdf> file. Select it and click OK > OK
12. Repeat Step 11 for the <databasename.ldf> file.
Overview
Government agencies and financial institutions use these standards to ensure that
their products conform to specified security requirements. Recently, new security
FIPS 140-2
One of the standards published by NIST is the Federal Information Processing
Standard Security Requirements for Cryptographic Modules, referred to as FIPS
140-2. FIPS 140-2 provides a standard that can be required by US federal agencies
who specify that cryptographic-based security systems are to be used to provide
protection for sensitive or valuable data. Many US federal agencies can be
configured to use this level, but might be required to move up to the newer
SP800-131a standard. See The National Institute of Standards and Technology for
more information about the 140-2 standard. AppScan Enterprise is compliant with
FIPS 140-2.
NIST SP800-131a
Procedure
1. In the Enterprise Console, go to the General Settings page of the
Administration view, and click Edit in the Enterprise Console Settings section.
2. By default, the check box in the Enable enhanced security section is cleared. Select
the option if your organization must be compliant with FIPS 140-2 or NIST SP
800-131a. When the option is selected, use the Manual Explorer tool to
manually explore your application for additional URLs. See Manually exploring
your site to add more URLs to the scan to learn how to download and use the
tool.
Note: Upon upgrade from version 8.7, the check box keeps the value it had
before upgrade. If you were FIPS compliant, then this checkbox remains
selected; otherwise, it remains cleared.
3. Click Done.
Chapter 3. Installing 99
Enabling FIPS 140-2 compliance on your operating system
After you upgrade AppScan Enterprise Server and the Dynamic Analysis Scanner,
enable FIPS compliance on your operating system.
Procedure
v On Windows:
1. Go to Start > Control Panel > Administative tools > Local Security Policy.
2. Go to Security Settings > Local Policies > Security Options > System
Cryptography and enable the Use FIPS compliant algorithms for
encryption, hashing, and signing security setting.
v On Linux:
1. Follow the steps in https://access.redhat.com/knowledge/docs/en-US/
Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-
Federal_Standards_And_Regulations-
Federal_Information_Processing_Standard.html.
Run the configuration wizard and start the services before you start this task.
Procedure
1. To enable FIPS 140-2:
a. Locate the installation directory of Liberty at <install-dir>\AppScan
Enterprise\Liberty\usr\servers\ase.
b. Add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file
to enable the JSSE2 provider to run in FIPS 140-2 mode.
c. Go to <install-dir>\AppScan Enterprise\Liberty\jre\lib\security
directory.
d. In a text editor, edit the java.security master security properties file to
register additional cryptographic package providers.
e. Update these two lines:
#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=
to
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
f. Locate the list of cryptographic providers that are located after the line # List
of providers and their preference orders and replace it with the following list:
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
Procedure
1. In the Enterprise Console, go to the General Settings page of the
Administration view, and click Edit in the Enterprise Console Settings section.
2. By default, the check box in the Enable enhanced security section is cleared. Select
the option if your organization must be compliant with FIPS 140-2 or NIST SP
800-131a. When the option is selected, use the Manual Explorer tool to
manually explore your application for additional URLs. See Manually exploring
your site to add more URLs to the scan to learn how to download and use the
tool.
Note: Upon upgrade from version 8.7, the check box keeps the value it had
before upgrade. If you were FIPS compliant, then this checkbox remains
selected; otherwise, it remains cleared.
3. Click Done.
Procedure
1. Go to <install-dir>IBM\AppScan Enterprise\localsetttings.xml, and make
the appropriate edits:
v For NIST transition (called 'NIST compatible' in SiteProtector), keep the
default setting <param name='sslCipherMode' value='FIPS'
xmins='http://www.iss.net/cml/CorePolicyCommon' ordinal='8' />.
Note: AppScan Enterprise works with SiteProtector 3.0 in strict mode, but
not with SiteProtector 3.0 in compatible mode nor SiteProtector 2.9.
2. Save and close the file.
During installation and configuration, make sure that you select LDAP
authentication in the Authentication Mechanism screen of the configuration
wizard.
Note:
1. If CAC was enabled before you apply AppScan Enterprise v9.0.3.1 iFix1,
disable it before you run the configuration wizard during the iFix1 installation.
Then, you can re-enable CAC and log in to AppScan Enterprise and complete
the following task.
2. No user actions are required to enable authentication by using Microsoft
Internet Explorer. For Mozilla Firefox users, your organization might have
specific instructions for enabling CAC in the browser.
Procedure
1. Install AppScan Enterprise by using an LDAP server that contains the CAC
users.
2. Make sure that the Product Administrator for AppScan Enterprise is also a
CAC user.
Note: You can use a Java iKeyman tool to manage your digital certificates.
With iKeyman, you can add certificate authority (CA) roots to your
database, copy certificates form one database to another, request and receive
a digital certificate from a CA, set default keys, and change passwords. The
iKeyman utility is included with AppScan Enterprise and is stored in
<install-dir>\AppScan Enterprise\Liberty\jre\bin\ikeyman.exe. You can
download additional information on iKeyman from IBM DeveloperWorks:
iKeyman Guide.
c. Add the CA certificates, one at a time, and create a label for each one. If
you use iKeyman, you can also create a label for each one. After you finish
adding all the certificates of the full chain, close the iKeyman tool.
4. Modify the web.xml file to replace Form-Based Authentication with
Client-Certificate Authentication.
Note: Make a backup of the web.xml file before you modify it.
a. Stop the IBM Security AppScan Enterprise Server service.
b. Locate the AppScanServerWeb.war file of your AppScan Enterprise instance
that is in: <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\
apps\AppScanServerWeb.war.
c. Rename the AppScanServerWeb.war file to AppScanServerWeb.zip and
navigate into the WEB-INF folder to retrieve the web.xml file for editing.
d. Replace the following section of the file:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/Login.jsp</form-login-page>
<form-error-page>/pages/Login.jsp?Retry=True</form-error-page?
</form-login-config>
</login-config>
with
Note: The "uid" in the LDAP directory must match the attribute of the
certificate. Modify this example of a filter so that it maps to your
environment. In this example, if the "SubjectCN" of the certificate is
"CN=IBM", then the user name (uid) in the LDAP directory must also be
"IBM".
This example shows an LDAP registry configuration that uses IBM Tivoli®
Directory Server. The LDAP user IDs match the subject CN in the certificates
that are stored on the CAC card:
Results
Users that use Common Access Cards are able to log in to AppScan Enterprise
without providing a user name and password.
You might want to consider installing multiple instances when you need to
support multiple environments on a single large server. For example, if your
organization is structured into business units, each with its own website, you can
install one instance of the Server for each. Each group can have its own Enterprise
Console and database, independent of the others.
You can install multiple instances of the Enterprise Console or the Agents. For
installation instructions, see Running the Server Configuration Wizard.
You might want to install the default instance first, and then install additional
named instances as required. There is no limit to the number of named instances
that you can run on a single computer.
Note:
v If you add a new instance using the Configuration Wizard, you must restart the
Agent Service to incorporate the change.
Procedure
1. Create local accounts on all of the Dynamic Analysis Scanners with the same
user name/password to be used as the service account and for login during
installation. Administrative accounts are preferred; see “Required user account
information during installation and configuration” on page 30 for a list of
specific permissions.
2. A connection between the scanner and ASE database is required. Open the
standard MS SQL ports 1433/1434 in the firewall, or add a custom port if
communication with SQL Server is configured this way and is preferred.
3. Run the configuration wizard. In the Database Connection window, enter the
server name and port numbers when prompted.
4. While the configuration wizard is running, you will encounter this error: "The
server or role does not exist." This message displays because you are using
local accounts, but it doesn't affect the installation. To bypass the error, use the
Ctrl key while you click OK in the message dialog.
5. Finish the configuration wizard and exit.
Note: If you need to run and view reports, configure the Enterprise Console as
well as the User Administration component.
8. Install AppScan Source. See the documentation for complete details.
9. “Configuring an AppScan Source Oracle database with AppScan Enterprise
Server.”
Procedure
1. The parameter to add is: -Doracle.net.tns_admin={path to directory containing
the tnsnames.ora file). For example: -Doracle.net.tns_admin=c:\oracle\
product\10.2.0\client_1\NETWORK\ADMIN
2. Choose your deployment:
a. If you are running on Windows, update the <install-dir>/appscan
enterprise/Liberty/usr/servers/ase/jvm.options file.
b. If you are running on Linux, update the /opt/IBM/AppScan_Server/Liberty/
usr/servers/ase jvm.options file.
3. Stop the Liberty service and restart it for the changes to take effect.
This procedure assumes that you added the multiple IP addresses to your host file
on the computer where AppScan Enterprise is installed.
Procedure
1. Stop the IBM Security AppScan Enterprise Server service.
2. Locate the server.xml file at <install-dir>\AppScan Enterprise\Liberty\usr\
servers\<ase instance name>\server.xml and open it in an XML editor.
3. Locate the <httpEndPoint> section and if the "host" equals a host name, replace
it with an asterisk instead, such as host="*".
4. Save and exit the file.
5. Start the IBM Security AppScan Enterprise Server service.
If you have more than one instance of the Enterprise Console, use this procedure
to remove the instance that is no longer required.
Procedure
1. Go to Start > AppScan Enterprise Configuration Wizard.
2. Go through the wizard until you get to the Instance screen.
3. Clear the Use default name check box.
4. Select the name of the relevant instance, click Remove, confirm the removal
when prompted, and finish the wizard.
Procedure
1. Go to Control Panel and remove the IBM Security Dynamic Analysis Scanner
and IBM Security AppScan Enterprise Server software.
2. After you remove the application from the hard disk drive, go to the
application installation directory in Program Files and delete the application
folder.
3. Reinstall the application.
109
Enterprise will retain the value previously used. If you select the Unique check
box, you cannot clear the Use Imported Values check box.
v There were changes to the REST APIs.
Note:
Possible naming conflicts between v9.0.1 application attribute customizations and new
v9.0.2 dashboard trend charts
The Open Issues and Applications with Open Issues charts rely on a new
application attribute called "Open Issues" that is defined as a formula. However,
if you previously created an application attribute called "Open Issues" of any
type other than formula, the upgrade does not attempt to resolve the conflict
between your attribute and the one that version 9.0.2 needs for the new charts.
The new charts will not display as intended after upgrade, and you must resolve
this problem manually. Rename your "Open Issues" attribute to something else if
you want to preserve its values. Update all formulas where you referenced your
"Open Issues" attribute to reflect the new name. Then, rerun the configuration
wizard to create the "Open Issues" formula attribute that the new charts require.
v A new approach to create scans consistent with AppScan Standard, for both the
security team who creates the templates and for the developers who create the
scans. See “Overview of scan configuration differences in v9.0.2 and higher and
in previous versions” on page 151.
– The new method is accessed from both the Monitor and Scans views.
– Existing scan templates from v9.0.1.1 are kept after upgrade, and the old
method of QuickScan template creation still exists.
– To take advantage of this new method, during upgrade you must run the
Default Settings Wizard after the Configuration Wizard to install the
templates for v9.0.2.
– To avoid any template name conflicts in the Templates directory in the Folder
Explorer, (v9.0.2) is appended to the template name.
– If you install a new instance of AppScan Enterprise, you can still access the
templates from v9.0.1.1. When you create a new content scan or template
from the Scans view, select Create using previously saved settings file and
go to <install-dir>\AppScan Enterprise\Initializations\ASE\
DefaultTemplates\Job\Version 9.0.1.1 to select the *.xml file.
v The embedded version of Liberty is now v8.5.5.4. During configuration, you can
choose to restore previous AppScan Server customized settings on the Liberty
Server. See Restore AppScan Server settings.
For further details on what's new and changed since v9.0.1.1, read this whitepaper.
Version 8.5 and 8.6 use the Rational License Server. It is critical that you read and
understand “Product and user licenses” on page 36 before you install the current
version.
You will need to know your Passport Advantage login credentials for this task.
Note: In AppScan Enterprise v9.0.2, support for Liberty Server v8.5.5.2 has
been replaced with v8.5.5.4.
2. What is WebSphere Liberty?
IBM WebSphere Liberty is a lightweight version of WebSphere, and is easier to
install and configure. Liberty is embedded into AppScan Enterprise 9.0.1,
eliminating the need to install an extra component in your environment.
3. What operating systems does it run on?
Procedure
1. During configuration, select Windows Authentication in the Authentication
Mechanism screen of the configuration wizard, click Next, and complete the
wizard.
2. Create local Windows users on the computer that hosts the Enterprise Console.
The administrator must have computer access to create local Windows users.
Note:
a. These local Windows user IDs and passwords are to be used to access
AppScan Enterprise.
b. In this case, password expiry is governed by Windows policies. Password
management is handled by the AppScan Enterprise product administrator
by manually changing the user's passwords on the computer that hosts the
Enterprise Console.
c. If you need to run the AppScan Enterprise configuration wizard again on
the computer that hosts the Enterprise Console, the authentication option
remains set as “Windows Authentication”. No further tweaking is necessary
to preserve the authentication method that is already set up.
d. If you are migrating users from Jazz Team Server into this authentication
method, there is a way to preserve each user’s AppScan Enterprise user
After you follow this procedure, you must use the local user account to log in to
AppScan Enterprise. You cannot use the service account.
Procedure
1. During configuration, select Windows Authentication in the Authentication
Mechanism screen of the configuration wizard, click Next, and complete the
wizard.
2. Stop the IBM Security AppScan Enterprise Server service. You can type “net
stop IBM Security AppScan Enterprise Server” in a command prompt
window, or follow these steps:
a. Go to the Windows Service Management Console (Start > Run >
services.msc).
b. In the Services section, right-click IBM Security AppScan Enterprise Server
and select Stop Services in the menu.
3. Locate the server.xml file at <install-dir>\AppScan Enterprise\Liberty\
usr\servers\<ase instance name>\server.xml and open it in an XML editor.
4. Locate and remove the <feature>usr:WindowsRegistryFeature</feature>
section.
5. Add a basic user registry section to the server.xml file as follows:
<basicRegistry id="basic">
<user name="mlee" password="p@ssw0rd" />
<user name="rkumar" password="pa$$w0rd" />
<user name="gjones" password="{xor}Lz4sLCgwLTs=" />
</basicRegistry>
Note:
a. You must use unique names for your users and groups.
b. Remove all trailing and leading spaces from the user and group names.
c. If user ID or password contains characters other than US-ASCII, make sure
that the file is saved by using UTF-8 character encoding.
6. Optional: Encode the password for each user by using the securityUtility
encode command. The securityUtility command line tool is available in the
<install-dir>\AppScan Enterprise\Liberty\bin directory.
7. Optional: When you run the securityUtility encode command, you either
supply the password to encode as an input from the command line. If no
arguments are specified, the tool prompts you for the password. The tool then
outputs the encoded value.
8. Optional: Copy the value output by the tool, and use that value for the
password. For example, to encode the password "GiveMeLiberty", run the
following command: securityUtility encode GiveMeLiberty. You can encode
the password using the “aes” encoding type. If there is a key.xml file located
Note: Liberty does not provide a mechanism for password expiry, and
changing passwords periodically is a manual process that involves encryption
steps as described next.
Procedure
1. Copy server.xml to server.xml.backup.
2. Remove the following section from server.xml:
<basicRegistry id="basic">
<user name="mlee" password="p@ssw0rd" />
<user name="rkumar" password="pa$$w0rd" />
<user name="gjones" password="{xor}Lz4sLCgwLTs=" />
</basicRegistry>
3. Add the <feature>usr:WindowsRegistryFeature</feature> section back in.
4. Rerun the configuration wizard.
5. Delete server.xml.
6. Rename server.xml.backup to server.xml
Results
If the user IDs that are recorded in the Liberty basic user registry match the user
IDs that were specified in Jazz Team Server, no further configuration is necessary,
and the migration is complete. However, if the user IDs do not match after
migration, you can run a custom SQL script to remap older user IDs to newer
ones. Run this custom script with help from IBM.
Procedure
1. Identify and document hardware elements that host software components:
v AppScan Enterprise Server (main application server hosted by IIS)
v AppScan Enterprise dynamic scanning agents
v Microsoft SQL Server database
2. Create a table like this one to track your information:
Table 16. Proposed environment server requirements
Operating Technical Required
Component Server System Specifications Software
AppScan
Enterprise Server
SQL Server
AppScan
Dynamic
Analysis Scanner
server
Note: If you do not install SQL Server on a separate machine, make sure that
you specify "HOSTNAME\SQL_SERVER_NAME" as the SQL Server name in
the Database Connection window during configuration. Liberty server does not
support "." as a replacement for 'localhost'.
3. Back up the production database, and load the database into the staging SQL
Server.
4. Install AppScan Enterprise Server to the application server.
a. Go to the directory where you downloaded the executable file
(AppScanEnterpriseServerSetup_<version>.exe) and double-click the file.
Results
Once the above steps have been completed, and your Information Security team is
satisfied all components of the running software in staging are functioning, stable,
and ready for production use, upgrade to your production server.
Note:
v Always uninstall AppScan Enterprise components before installing new
versions or fixpacks.
v Always leave existing components of AppScan Enterprise in place and install
on top of these when you apply an iFix or a patch.
2. Upgrade production SQL server to the latest release that AppScan Enterprise
supports.
3. Upgrade production Agent Dynamic Analysis Scanner servers to the latest
release.
4. Perform system reboot, then put AppScan Enterprise server in service.
5. Perform system reboot, then put Agent Scanner servers in service.
Note: If your environment uses a named SQL Server instance for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL Server
configuration manager, and restart the SQL services for SQL Server and SQL Server
browser. For example, if you specify the instance name as:SQL Server or
Server\Instance name: <sql_server_host>\<sql_server_instance> instead of SQL
Server or Server\Instance name: <sql_server_host>.
If your configuration uses Microsoft SQL Server Standard Edition, and you plan to
encrypt your AppScan Enterprise databases, then this procedure needs to be
performed before you install AppScan Enterprise.
Related information:
Procedure
1. Optional: If you don't have a server certificate, create one from your certificate
authority.
a. Generate a certificate request to send to your external certificate authority.
b. Send the certificate request to the certificate authority using a method that
the certificate authority accepts.
c. When you receive the certificate, complete the certificate request.
2. Install AppScan Enterprise Server.
3. Run the configuration wizard.
Procedure
1. Stop the AppScan Enterprise Server services.
2. Edit the file <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\
config\asc.properties.
3. Set the value of core.db.oracle.jdbc.connection.string to the appropriate
connection string for the new server. For example, ldap://oid:389/
r7sol001,cn=OracleContext,dc=company,dc=com
4. Make sure that the value of core.db.oracle.jdbc.connection.string is set to
the appropriate alias.. For example, r7sol001
5. Save the changes and restart the AppScan Enterprise Server services.
Run the configuration wizard and start the services before you start this task.
Procedure
1. To enable FIPS 140-2:
a. Locate the installation directory of Liberty at <install-dir>\AppScan
Enterprise\Liberty\usr\servers\ase.
b. Add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file
to enable the JSSE2 provider to run in FIPS 140-2 mode.
c. Go to <install-dir>\AppScan Enterprise\Liberty\jre\lib\security
directory.
d. In a text editor, edit the java.security master security properties file to
register additional cryptographic package providers.
e. Update these two lines:
#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=
to
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
f. Locate the list of cryptographic providers that are located after the line # List
of providers and their preference orders and replace it with the following list:
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
g. Optional: Go to <install-dir>\AppScan Enterprise\Liberty\jre\bin and
open a cmd window. Your certificates must be at least 1024 in size and can
be signed with a DSA or RSA signature algorithm. The keytool utility can
be used to generate a compatible keypair: 1 keytool -genkey -alias default
-keyalg RSA -keysize 1024 -dname CN=example -keystore fips.jks -storepass Liberty
-keypass Liberty.
h. Save and close the file, and then rerun the configuration wizard.
2. To enable NIST SP800-131a:
a. Locate the installation directory of Liberty at <install-dir>\AppScan
Enterprise\Liberty\usr\servers\ase.
b. Add the -Dcom.ibm.jsse2.sp800-131=transition property to the jvm.options file
to enable the JSSE2 provider to run in NIST transition mode.
c. Go to the server.xml file in the same directory and replace the
sslProtocol="SSL_TLSv2" property with sslProtocol="TLSv1.2".
d. Save and close the file, and then rerun the configuration wizard.
Product Administrator
The Product Administrator has full access to all areas and can perform the
functions of any other type of user.
Standard User
Standard Users are users who are assigned a role in any folder. They can create
applications. If the security model within your organization permits, the Default
User type can be set to Standard User. That way, the first time a new user logs in,
a new user account with a user type of Standard User will be automatically set up.
This is a way of automating the creation of new user accounts. Within folders or
applications that they can access, a Standard User can:
v Create applications
v Grant application access to users
v Create and delete folders in folders they can access
v Create, edit, run, view, and delete scan jobs
v Create, edit, run, view, and delete dashboards
v Create, edit, run, view, and delete report packs
v Grant or deny users access to report packs, dashboards and folders
v Classify issues according to their status
v Export report data
v Configure all options (Basic and Additional) in the AppScan Dynamic Analysis
Client
No Access
Upon trying to log in, if the Default User is set to No Access, a new account will
not be created. If the user has an existing account, the account remains, but access
is denied.
The No Access user type is often used to create an account in anticipation of the
arrival of a new employee who will require access at some future time.
127
Inherit Access
This user type only applies to users imported from an LDAP server. When a user
with an Inherit Access user type logs in for the first time, they will automatically be
created as a user (whatever the Default User is) and be assigned the user privileges
associated with any LDAP group they belong to, if the group exists in the database
and has been granted access. If they belong to more than one group, they will
inherit the highest permissions of all the groups they belong to. Otherwise, their
type will be No Access.
QuickScan User
QuickScan Users use a simplified view of the Enterprise Console to create quick,
easy-to-use scans to test the applications they are responsible for. Most users are
QuickScan users. QuickScan Users can be given explicit permissions on specific
applications, but they cannot create them.
If a QuickScan user is given access to the advanced scan configuration for the
template they are using, there are restrictions on some of the scan options that they
can modify. Here are some examples:
v What to Scan > Additional server and domains: Modify existing domains and
make changes, but cannot add new domain or delete existing domain.
v Exclude Paths and File > Overall Exceptions: Add new overall URL exception
but not remove them.
v Explore options > Parser Setting: Add Search Patterns and Exclusions but not
delete any.
v Explore options > WebSphere Portal Advanced Settings: Modify the context
root, but not delete them.
v Parameter and Cookies > Normalization Rules: Add new normalization rules
but not delete them.
v Parameter and Cookies > Custom Parameter Definitions: Modify the existing
parameters and cookies values but cannot add or delete any.
v Parameter and Cookies: Modify the existing parameters and cookies values but
cannot add or delete any.
v Login Management: Cannot delete URL from login sequence.
v Automatic form fill: Disable and enable Auto form fill values, but cannot
add/delete/modify any.
v General Scan Options > Custom error pages: Cannot add/delete/modify any
custom error pages.
v Malware: Add new exclusion patterns but not delete any.
v Advanced options > XRules: Modify XRules but cannot add or delete any.
Product administrators can create custom user types to align with the particular
workflows of their organization. These types of users are assigned limited
administrative permissions, such as the ability to create and edit users, to configure
security test policies and server groups, to modify application attributes, or to
manage AppScan Enterprise integrations with other IBM products. See “Custom
user type permissions” on page 131 for more details.
Related tasks:
User roles
One user can set up and run jobs that scan and analyze a website or application.
Another user will only browse through reports that detail the problems that were
found with a website or application. Yet another user can set up and administer
users.
User roles are assigned on a per folder basis by a Product Administrator, and use a
specific user license as well.
Job Administrator
Report Administrator
Report Consumer
A user who has been assigned a role of No Access in a folder will not be able to
see the folder, nor any items in the folder.
As a best practice, when you first create a new user you should give them a No
Access user type until you finish configuring their folder permissions, and then
change their user type to whatever type you want them to have. This prevents
new users from being able to access areas they shouldn't if they log in while you
are still configuring their permissions.
Note:
1. As an organizational security measure, users that are assigned limited
administrative permissions see a streamlined view of the Administration tab
and will only be able to access the administrative pages they are permitted to
use. For example, Rob's user type is set to Inherit Access and he belongs to two
groups: the Developers group has a custom user type of Server Group
Administrator, and the Business group has a custom user type of User
Administrator. When Rob accesses the Administration tab, he will see both the
Users and Groups and the Server Groups menu options. However, if Rob has
explicitly been assigned a user type, the permissions of the user type will
override the permissions of the groups he belongs to.
2. If you edit or delete a custom user type or one of their permissions, all users
who have been given the custom user type will be affected by the change.
3. If you delete a user type that has been assigned to a user, that user will have a
No Access user type until you assign them a new one.
Procedure
1. Go to the Administration view of the Enterprise Console.
2. On the User Types page, click Create.
3. Create the user type, select their user permissions, and click Create.
Related concepts:
“User types” on page 127
Every user is assigned a User Type by the Product Administrator. The User Type
applies across an instance.
“How user types affect user groups” on page 137
Every user is assigned a User Type by the Product Administrator. The User Type
applies across all folders in an installation.
These permissions are custom user permissions that you can assign to users to
align with the workflows in your organization.
Table 17. Custom user type permissions
Permission Description
Advanced View Gives Standard users who have a QuickScan
role the additional access to the advanced
job configuration UI from the QuickScan
configuration.
Add Users/Groups Adds and edits users and groups but cannot
edit user security scan permissions.
Edit Users/Groups Edits users and groups, including user
security scan permissions. The user who is
editing security scan permissions can only
assign scan permissions that they have,
unless the user who is editing also has
Server Groups or Security Test Policies
permissions. Then all scan permissions are
available.
Note: In addition to these user types, you can also create a Custom User Type to
assign a limited set of administrative tasks users. These users only see the
Administration and Jobs & Reports pages they are permitted to see.
2. User Roles: Assigned on a per folder basis by a Product Administrator. A user
must be granted access permission to every folder where they will perform
tasks. Folder permissions determine what the user can see and do within the
folder.
3. Per item/per user: Assigned on a per folder item basis (report packs and
dashboards) by an Administrator.
4. Per folder: Assigned per folder by a Product Administrator. When a folder is
created, users will inherit the same user roles that exist in the parent folder. For
example, all Standard Users in Folder A are Report Administrators. Those users
will automatically be Report Administrators in any subfolder, unless an
administrator (job, report, or system administrator) manually changes their
permissions. system administrators can also propagate user permissions down
the folder hierarchy at any time.
For example, the Corporate folder contains Consumer and Business sub-folders.
Mandy has a Report Administrator role in the Corporate folder, but only a Report
Consumer role in the Business folder. She cannot create or edit the properties of
any report pack inside the Business folder. She is restricted to creating and editing
report packs in the Corporate folder. As a Report Administrator, Mandy cannot see
any jobs inside the Corporate folder.
User access does not stop at the folder level. Report packs and dashboards also
have access privileges, so that a user can have access to a folder but be restricted
from some of the items inside that folder. For example, if Mandy has access to a
folder but No Access to the Corporate report pack in that folder, then she can't see
the Corporate report pack. The following table provides some common tasks in
folders and their suitable roles. The table contains the minimum role necessary for
the task, but with each task you can always choose a higher user role and get the
same results.
Note: The user will inherit some properties from the Default User template. To
change the Default User properties the user inherits, you must edit the user's
properties. If a user type is listed as "Restricted", you cannot change it because that
user type has additional administrative permissions that you don't have. You can
only change user types that have your access permission level or lower. For
example, if you have a Standard User type, you cannot change the Product
Administrator user type.
Procedure
1. Go to Administration > Users and Groups, and click Create.
2. On the Create User page:
a. Enter a Name for the user that is easy to recognize; for example, Bill Smith.
b. Enter the User ID using the Domain/Username format; for example,
workgroup\billsmith.
Note: Do not use special characters, such as the percent sign (%). It might
cause a 'session expired' error.
c. Choose a Type for this user.
3. Click Create to add the user is added to the list of users.
Related concepts:
“User types” on page 127
Every user is assigned a User Type by the Product Administrator. The User Type
applies across an instance.
Related tasks:
“Creating users with the Default User template”
Most of the properties that a typical user will need can be given to the "Default
User" template, and then used automatically every time you create a new user.
Note: By default, the "Default User" user type is QuickScan User. For example, you
might want most users to only be able to review reports and not perform any job
New users will inherit the license type of the Default User (floating or authorized
user), which is set the first time the product instance is configured.
Procedure
1. Go to the Administration view.
2. On the Users and Groups page, select the Default User from the list.
3. On the Edit User page, make your changes, and click Save.
Results
New users appear in the list of users under their Windows networking User name
and Full name. The only exception is if the Default User has been assigned a No
Access user type. In this instance, the new user is denied access, and no new
account is created.
Related reference:
“Product and user licenses” on page 36
This topic on AppScan Enterprise licenses opens a technote in a separate browser.
Importing users
You can import individual users and assign a user type to them.
Procedure
1. Go to Administration > Users and Groups.
2. Click Import Users.
3. Enter a domain to retrieve a list of users and select the users you want to
import and select a user type for those new users.
4. Click Import after you have selected users from the list.
After you import an LDAP group, users from that group will automatically be
created as a user when they first log in, if the default user type is ’inherit’.
Procedure
1. Go to the Administration view.
2. (Windows only): On the General Settings page, click Edit Enterprise Console
Settings and configure the LDAP server or domain and the LDAP group query
fields and click Done.
3. On the Users and Groups page, click Import Groups.
4. Select an Import Type from the list, select the user groups, and click Import.
5. Select the Default User and set the access permissions to "Inherit Access", and
click Apply.
Note:
a. When a user logs in for the first time, they will automatically be assigned
the user permissions associated with the groups they belong to.
b. Nested groups are not supported. If a user belongs to more than one LDAP
group, they will inherit the permissions of the top level of the group
hierarchy they belong to.
c. You cannot assign a license type to a group.
Results
When a user logs in to the Enterprise Console, they will inherit the permission that
their group has. When you assign or change folder access privileges for the group,
that user will have access to it if their group does. When a user creates a content
scan job, the Enterprise Console will check their scanning permissions of the group
they belong to.
Related concepts:
“How user types affect user groups”
Every user is assigned a User Type by the Product Administrator. The User Type
applies across all folders in an installation.
When a user from an LDAP group has an `Inherit Access' user type, that user
always inherits the maximum permissions of any groups he belongs to. For
example, in the following table, Rob belongs to three groups. His maximum
permissions of all these groups allow him to create/edit and delete users, and
configure test policies.
Configure Configure
Advanced Create/ Delete Server Test
Group User Type View Edit Users Users Groups Policies
All Staff Standard Y N N N N
User
Security Test Policy Y N N N Y
Analysts Administrator
Developers User Y Y Y N N
Administrator
Related tasks:
“Defining custom user types” on page 130
A user type is a set of permissions that are applied to a user so that they can
perform certain administrative tasks. Before creating user accounts, you must
create custom user types if you want to assign limited administrative tasks to
Standard Users without making them full Product Administrators.
“Importing LDAP user groups” on page 136
You can import individual groups of users from an LDAP Server, and assign a user
type to them. All groups must have a valid LDAP account before they can be
imported. A user group is used to calculate the effective permissions when the user
type is selected as Inherit access.
Procedure
1. On the Administration view, go to General Settings > Log Settings > Edit.
2. Select the Enable logging check box (off by default).
3. Select a log level and a log size for both types of log files, and click Save.
Note: These settings affect the Enterprise Console and AppScan Server log files
independently (the log file size is the maximum for each type of log file).
4. If you download the log files without modifying the log level and size settings,
you download existing logs for Enterprise Console and AppScan Server that are
already collected. The downloaded compressed file contains the Enterprise
Console logs and a compressed file that contains the AppScan Server logs.
Note:
a. If you modify the log level or size settings, the settings affect future log files
that you download.
b. Existing log files are not deleted; new information is appended to them.
What to do next
Make sure you restrict access to the report pack or to its folder so other users
cannot see the Activity Log.
Managing a server
Product Administrators are responsible for managing each server to its optimal
performance.
Procedure
1. Go to the Agent Servers page of the Administration view.
2. Check the number and status of items (jobs, report packs, or dashboards)
associated with each server: Use the Current® Items section to see the status of
items and click the Refresh icon to refresh the item's status. You might have
locked the server and you want to see if anything is running on it. You might
need to discover which server a particular job is running on. There might be
too many items running (jobs, report packs, or dashboards) and you believe
more agent servers are needed to distribute the load.
3. Specify the maximum number of agents that can run concurrently on a server.
Change the maximum number when you want to optimize the load on your
server.
4. Lock or enable a server. Lock a server to prevent any more items from running
on it, such as before disconnecting the server from the network, rebooting the
server, or installing software on it.
a. Identify the server to be taken out of service.
b. Click the Name of the server.
c. On the Server Properties page, click Lock or Enable.
d. Click Save.
Note: The number of jobs running can exceed the maximum number of agents
assigned to the server because the number of jobs running includes jobs that
are now in postprocessing. These jobs are no longer using an agent on the
server.
Procedure
1. In the main Folder Explorer, click Scan Queue Management. The list of jobs
that opens automatically sorts according to the scans in progress first, and then
by those jobs that are waiting in the queue to run. The jobs that are in progress
are sorted by run time.
Note: The scan queue view is empty unless scan jobs are running or waiting to
run.
2. To change the running order of the jobs that are waiting to run, select the job
and pick an option from the menu:
v Move job to top of queue
v Move job to bottom of queue
v Move job to position: <position number>
3. There might be times where you must remove the job from the queue, suspend
the job, or stop it before it finishes running. You can remove the job from the
queue only if it is waiting to run. For jobs that are running, select the job and
choose one of the following options from the menu:
4. Click Return to Folder View when you are done to get back to the main folder
explorer.
Update the security rules during your regularly scheduled maintenance period.
Procedure
1. Go to the IBM Fix Central website.
2. Download the file called AppScanEnterprise-<Enterprise-Version>-
RulesUpdate-<RulesVersion>.zip (for example, AppScanEnterprise-9.0.3.1-
RulesUpdate-3193.zip) and save it on the computer where AppScan Enterprise
Server is installed.
Note: Make sure that you must have the latest version of AppScan Enterprise
(including Fixpacks and iFixes) before you update to the latest security rules.
Results
Issue types are changed periodically in the security rules. If you have a scan with
old issue types that no longer exist after a security rules update, the issues with
those issue types will disappear after the update, and new issues will be found
with the new issue types. Those issues will have to be triaged again.
Each test looks for one specific issue. For example, one test modifies a path in a
request; another test modifies user input to include a character that should be
invalid. For each test you can define multiple conditions:
v Filter: What conditions must be met to run the test.
v Modification: What are the changes that are made to the request.
v Validation: What conditions must be met for the test result to be considered
positive.
Procedure
1. Go to Main menu > Administration > User Defined Tests.
2. Browse to the location of the *.udt file and import it. It appears in the list of
tests on the page when the import was successful.
Note:
a. Each *.udt file can contain many user-defined tests.
b. Give each file a unique name to avoid conflicts.
Results
If they are discovered in subsequent content or import scans, user-defined tests
appear as Issue Types in the Security Issues report.
Procedure
1. Back up your database on SQL Server before continuing with the upgrade
process.
2. Make sure you have the latest operating system requirements for SQL Server
2012.
Note: For Windows Server 2008 operating system, Service Pack 2 or later is
required. For Windows 7 or Windows Server 2008 R2, Service Pack 1 or later is
required. For more information, see Hardware and Software Requirements for
installing SQL Server 2012 at: https://go.microsoft.com/fwlink/
?LinkID=195092
3. Follow the instructions at Upgrading to SQL Server 2012.
Like any enterprise application, the database must be backed up regularly, and
other database maintenance tasks must be conducted from time to time. Microsoft
SQL Server Management Studio provides a Maintenance Plan wizard that allows
these tasks to be automated. Use this wizard to create the required scheduled
tasks.
Note: Backing up the database is different from copying the database file and
saving it in another location. Use the Backup feature in Microsoft SQL Server
Management Studio to back up the SQL Server database, and consult its
documentation for instructions.
When you upgrade to a newer AppScan Enterprise version or backup the database
to move it to another SQL Server, ensure that the collation (such as case sensitivity)
matches between the two. Otherwise, the AppScan Enterprise database won't work
properly.
Backup strategy
Because the database log files can grow in size between SQL Server backups, back
up the database daily. Depending on the frequency with which activities (such as
report pack and dashboard generation, import jobs) are run, it might be possible to
do incremental backups frequently and full SQL Server backups less frequently. It
is not necessary to conduct backups while the database is quiet, but backup
operations can be scheduled for times when the database is known to be less busy.
If your organization employs a regular maintenance window for servers, then this
time might be an ideal time to conduct the SQL Server backup.
For large organizations where the database is never, or rarely, quiet, consider using
commercial backup software that is configured to back up SQL incrementally.
Database recovery
If there is a catastrophic hardware failure, the database can be restored from the
last SQL Server backup by using the 'Restore database' command in Microsoft SQL
Server Management Studio.
Database growth can become an issue, especially after large content scan jobs are
deleted. The 'Shrink Database' command can be used to remove the empty space.
The database is most effectively shrunk at the "File" level. Choose "Files" from the
"Shrink Database" window.
Database maintenance
After the application is installed, a database maintenance plan must be established.
Use the 'Maintenance Plan wizard' to create the plan and schedule it. In the
wizard, select these options:
v Check database integrity
v Shrink the database
v Reorganize the index
v Update statistics
v Do a full backup of the database
Disk defragmentation
Disk fragmentation occurs over time as files are created, deleted, and change in
size. Consider using the Windows tools to periodically defragment disks when the
database is not being used and can be taken down for maintenance.
Index fragmentation can cause slow database performance because of many page
splits. This leads to high post processing times, report packs taking longer to
generate, and slower web application performance.
The rebuild operation cannot be run while users are accessing the database. For
this reason, it is necessary to stop users from accessing the database during the
rebuild.
Procedure
1. In SQL Server Management Studio, click New Query and select the database in
the list.
2. Enter these two SQL statements:
a. Create role db_executor
b. Grant execute to db_executor
3. Click Execute.
4. Go to Databases > asedatabasename > Security > Users.
5. Right-click Service account > Properties.
6. From the Database Role Membership section of the Database User dialog, add
these roles to the service account:
v db_datareader
v db_datawriter
v db_ddladmin
v db_executor
7. Select OK.
Related reference:
“Required user account information during installation and configuration” on page
30
During installation and configuration, various user accounts are used, each with
specific permissions. The Service Account and the Local System User account can
be a single account, with the same user name and password. However, if your
organization requires a separation of duties, use the Local System User Account
during installation and configuration, and then use the Service Account for
maintaining SQL Server database access.
You must create one or more server groups to define what can be tested. After a
server group is created, you then assign it to a Job Administrator. That person then
creates jobs that perform security tests on a specific group of servers.
The Default User can be assigned server groups and test policies to facilitate
setting up users. If you know that all your users will be testing a particular set of
servers, you can create a group with those servers and assign it to the Default
User. All newly created users will be automatically given permission to test that
server.
Procedure
1. Go to the Administration view.
2. On the Server Groups page, click Create.
3. On the Create Server Group page, enter a name for the server group and click
Create.
4. On the Edit Server Group page, enter the domains or IP addresses of the
servers that are included in this server group and click Save.
5. Next you will create a security test policy and assign the server group and
security test policy to users.
Note: Your IP address changes will also affect AppScan if it uses AppScan
Enterprise Server as its permissions server.
Procedure
1. Go to the Administration view and navigate to the Module Licenses page.
2. In the Security IP Ranges section, select the ranges you want to enable or clear
the ranges you want to disable.
Procedure
1. Go to the Administration view.
2. On the Security Test Policies page, click Create.
3. On the Create Simple Security Test Policy page, give the test policy a name and
description and click Create.
4. On the Edit Simple Security Test Policy page, configure the tests that will be
included in the test policy and click Save.
What to do next
These test policies are exported from AppScan 7.5 (or higher) and are read-only.
Any required modifications to the test policy must be performed in AppScan and
re-imported.
Procedure
1. Go the Administration view.
2. On the Security Test Policies page, click Import Advanced Security Test Policy.
3. On the Import Advanced Security Test Policy page, give the policy a name.
4. Enter the location of the .policy file and click Import.
Note: If you do not know the location of the .policy file, click Browse to locate
it on your file system and then click Import. The Edit Advanced Test Policy
page opens where you can view a read-only version of the tests the test policy
contains.
5. On the Edit Advanced Security Test Policy page, edit the name and description
of the test policy as required and click Save.
6. Verify that you have imported the correct test policy by checking its details.
What to do next
There might be times when you must re-import a security test policy file,
including:
v you've assigned the test policy to users who are currently using it on scan jobs
v test policy rule versions have updated in AppScan Standard and you would like
to use them in AppScan Enterprise
To avoid having to reassign security permissions on the test policy, and to avoid
affecting jobs that are currently using the security test policy, you can re-import it
from AppScan without affecting your workflow. Otherwise, you must delete the
test policy in AppScan Enterprise and create a new one, compromising any job that
references the deleted policy.
1. Apply updates in AppScan Standard and then close AppScan Standard.
2. Reopen AppScan and export the test policy as a .policy file.
3. Re-import the security test policy into AppScan Enterprise.
Note:
v The test policies that are available depend on what the Product Administrator
has assigned to you.
v Each test policy is associated with a certain server group, so changing the test
policy changes the server group.
Your user properties list the security test policies and server groups that have been
assigned to you. When a Job Administrator creates a job, its security test policies
and server groups are predetermined. However, other Job Administrators can
change what tests the job can run and which applications it can test. Any other Job
Administrator can "take ownership" of the job. When a Job Administrator takes
ownership of a job, the available security test policies and server groups become
those of the new Job Administrator.
Procedure
1. Go to the Folder Content Summary, select the job, and click Edit.
2. On the General Properties page, click Select Job Owner, and choose yourself as
the new job owner.
3. Click Select Job Owner > Save.
What to do next
Each user can be assigned certain security test policies and server groups.
However, if you want all new users to automatically have the same test policies
and server groups, assign them to the Default User instead.
This workflow provides many benefits: The security team uses a richer
environment to select scan options in AppScan Standard. This method is a one-step
process to provide these templates to developers in AppScan Enterprise. It
produces more consistent results across the organization, and provides the same
user experience during job configuration. It improves the configuration experience
for developers, who often don't have much security knowledge, and provides them
with the ability to configure action-based login and manual explore features.
This task assumes that you have created a scan template file in AppScan Standard.
Procedure
1. In the Scans view, go to the Templates folder in the Folder list and click Create
in the main content pane.
2. On the Create Folder Item page, select Create Template for Content Scan and
give it a name.
Note: If you do not have a copy of AppScan Standard, click Download. After
you install it and create a *.scant file, then you can upload it here.
4. Add the *.scant file that you located and click Create > Done.
Note: If there are any issues during the upload process, they display in the
Folder Item Created page as not supported.
5. Security test policies are ignored during upload. On the template's Security
page, select a test policy. Or, to let developers pick their own security test
policy, choose Use the AppScan Dynamic Analysis Client to select. Users can
select their own policy when they create a scan in the Client.
6. Configure the remaining options for the template, such as Log Settings, Agent
Server, Job Properties, and What to Scan.
7. To prevent users from accessing the advanced scan configuration pages, disable
the check box on the Template Configuration page.
8. Click Save.
Related concepts:
“Supported technologies” on page 28
Note:
v The port number is not needed if the license server(s) in the Server box are
using a port in the default port range. Otherwise, enter the port number
used by the license server(s).
v Licenses are searched for on the license servers in the order in which they
appear in the 'License server search order' list.
v The license servers you choose during configuration apply to all instances
configured on this Server.
Note: Users must log off properly to release the license; closing the browser
will not release the license until two hours have passed.
1. Change the connection limit for the Monitor view by modifying the
session.timeout property (in milliseconds) in the <install-dir>\AppScan
Enterprise\Liberty\usr\servers\<ase instance name>\server.xml file.
2. Change the connection limit for the Folder Explorer view by modifying the
sessionState timemout property (in milliseconds) to be <sessionState
timeout="120"/> in the <install-dir>\IBM\AppScan Enterprise\WebApp\
web.config file.
v How to apply the licenses
v Common licensing scenarios
153
Server Components
Select the components you want to configure. The components available to you
depend on the license.
Table 18. Server Components
Component Description
User Administration User administration for LDAP
authentication.
Enterprise Console Enterprise reporting, collaboration, and the
ability to conduct dynamic analysis
assessments. Select this component for
AppScan Enterprise and for AppScan Source
distributed deployments that only require
Windows authentication.
Dynamic Analysis Scanner Scanning and testing web applications.
Select this component for an AppScan
Enterprise deployment.
Instance Name
Specify the name of the instance you want to configure.
1. If you are installing only one instance on this computer, select the Select or
create a default instance check box and then click Next.
2. If you are installing more than one instance on this computer, clear the Select
or create a default instance check box, enter a name for the instance, and then
click Next. You will be given the option to configure another instance at the
end of the wizard.
Related tasks:
“Uninstalling an instance of the Enterprise Console” on page 107
Remove instances that are no longer needed on a single server.
Database Connection
Enter the SQL Server name, port number, and the name of the database you are
connecting to. You can click Test Connection to make sure you can connect to the
SQL Server. The configuration wizard does not proceed until the connection is
successful.
Note:
1. The syntax for the SQL Server name has changed with the introduction of
Liberty support. ".\SQL_SERVER_NAME" no longer works. Use
"HOSTNAME\SQL_SERVER_NAME" instead.
2. If your environment uses a named SQL Server instance for the AppScan
Enterprise database, make sure that TCP/IP is enabled in the SQL Server
configuration manager, and restart the SQL services for SQL Server. Use the
port number of the named SQL Server instance instead of the default port
number (1443).
3. If you have multiple instances and want to remove an instance that is no
longer required:
v Clear the Use default name check box.
Service Account
Specify the service account that will be used by the services.
During the configuration of the components you install, you must enter service
account information. This service account allows the agents to access the database
server. Individual users do not require any form of database permissions. The
service accounts used for the agents and the database should have passwords that
do not expire. If, however, the passwords must change at regular intervals, you can
rerun the Configuration wizard on all the AppScan Enterprise Server and Dynamic
Analysis Scanner computers and enter the new password.
The Local System User account and the Service Account can be a single account,
with the same user name and password.
The service account is granted db_owner rights to the database and must have
permissions that allow it to create a database and tables, add users, run stored
procedures, and grant rights.
Note: These permissions enable the service account to write to the log files. They
also enable the scan agents to write temp files, without which the scans would not
function. The Configuration wizard creates these permissions for you - do not
change them.
The service account must have permission to log on locally on the target machine
so that it can impersonate the user's logon credentials. It also must have
permission to log on as a service.
Registry permissions
Server Certificate
For security reasons, HTTPS is enabled for Enterprise Console. Choose a certificate
from the list of certificates that are installed in IIS. Taking these actions will help
you deploy a secure AppScan Enterprise in your environment.
Server Keystore
If you choose to use a keystore that contains a trusted certificate chain for this
host, complete the available fields.
v If you exported a certificate .pfx file, select Public key cryptography standards
#12 (PKCS #12) as the Keystore Type.
v Browse to the location where you exported the certificate .pfx file.
Authentication Mechanism
Select an Authentication Mechanism to use to log into the Enterprise Console. If
you choose Windows, you must be part of a domain.
LDAP authentication
v When you configure LDAP authentication in the configuration wizard, you can
specify any user account to be the product administrator if the user exists in the
LDAP server.
v When you log in to AppScan Enterprise, don't prefix the user name with a
domain name.
v If your LDAP server supports SSL, select the Connect to LDAP server using
SSL check box. Some of the LDAP configuration fields are pre-populated for
you. Check that they are correct for your environment.
v When you select an LDAP Server Type, default settings for the LDAP Server
Port, User Filter, and User ID Map fields are automatically filled in for you.
However, you must understand the syntax required for each field so that the
connection to Liberty works successfully. Contact your LDAP administrator to
get the settings for your environment, especially for filtering users.
Related information:
Product Administrator
This user is licensed separately; if you want to reassign the Product Administrator
license, you must rerun the configuration wizard.
v For Windows authentication, provide your user name and full name.
v For LDAP authentication, provide your User ID, name and password.
159
single server Transparent Data Encryption user types
installing 45 See also TDE controlling access permissions based
multiple instances enabling on SQL Server databases 93 on user type 133
installing 105 enabling on SQL Server Enterprise creating custom 131
SQL Server edition 93 custom 131
backup database files 142 encrypting on SQL Server 94 how they affect user groups 137
configuring 40, 123 Transparent Data Encryption see users
upgrading from 2005 to 2012 142 TDE 98 assigning
SQL Server database privileges 135
encryption changes 155 security test policies and server
usage 145
Standard User user type 127, 133
U groups 150
user type 136
upgrade
system requirements 22 creating 135
AppScan Source LDAP connection
importing 136
with an Oracle database 125
users and groups
licensing 109
T user account information
overview 130
TDE file and folder permissions 30
See also Transparent Data Encryption local system user account 30
how script enables TDE 94 service account 30 W
moving database to another SQL user groups 137 wizard user account
Server 95 user roles creating 146
using a script to enable 94 choosing the right one 134
traffic performance
improved for DAST scanning 38