Installing the AppScan Central Platform

Installing the AppScan Central Platform is a multi-step process:
  1. Download and extract ASCP installer files to a target installation directory.
  2. Preconfigure AppScan 360° settings.
  3. Install ASCP with components configured in step 2.
  4. Configure connections to ASCP and the AppScan 360° server.
Note: Perform all installation and configuration activities as an Administrator on the target system.

Downloading and extracting installation files

To extract ASCP installation files:
  1. Download the ASCP installer from HCL License and Download Portal.
  2. In the folder to which the installer was downloaded, run the executable file:
    [AppScan360 installer].exe

    This creates and populates a folder named AppScan360 in the folder in which it is run.

  3. To specify a different destination folder, specify the destination on the command line:
    [AppScan360 installer].exe -o"[c:[destination]"

Preconfiguring AppScan 360° settings

To preconfigure AppScan 360° settings:
  1. In the extraction directory, locate the install.config file and open it in a text editor.
  2. Edit the parameters in the file according to your requirements. These parameters are critical for AppScan 360° to function.
    Note: The supported certificate formats are PFX or Certificate and Key pair (PEM).
Table 1. Required parameters
Parameter Description
DB_NAME=<AppScan360_db_name> Database name. It is created at the database instance provided below.
DB_HOST=<> The name of the machine with MSSQL server installed.
DB_USERNAME=<db_admin_username> A database user with db-creator permissions.
DB_PASSWORD=<db_admin_password> The password for the above user.
Table 2. Optional parameters
Parameter Description
SAST_SERVICE_FQDN=<> Static analysis FQDN (without scheme or path).
USE_EXTERNAL_SERVER_CERTIFICATE=<True/False> Configure this option if you want to use your own PFX format certificate for your AppScan 360° web application. If you do not, a self-signed PFX format certificate is generated during the installation process. This option affects the next four parameters.
PFX certificate
SERVER_PFX_FILE_PATH=<absolute path to PFX file> The path to your PFX certificate file.
SERVER_PFX_FILE_PASS=<password> The password for the PFX certificate file.
Note: If you configure your own PFX file, any CRT file parameters will be ignored.
PEM certificate
SERVER_CRT_FILE_PATH=<absolute path to CRT file> The path to your PEM certificate file.
SERVER_KEY_FILE_PATH=<absolute path to KEY file> The path to your PEM certificate key file.
Self-signed certificate
CUSTOM_USERSITE_FQDN=<> If you choose not to use your own certificate, a self-signed certificate is created for you. You can specify here the DNS name of your choice. Make sure this FQDN is DNS resolvable.
USE_LDAP=False To enable LDAP authentication, set to True.
LDAP_USERNAME= User with LDAP read permissions.
LDAP_PASSWORD= Password for the above user.
EXTERNAL_IDP_MODE=AutoOnboard Define your method for on-boarding new users:
  • AutoOnboard: Any user with access to the server can log in to AppScan 360°.
  • GroupsAccess: Any user in an authorized group (defined with LDAP_AUTHORIZED_GROUPS=) can log in to AppScan 360°.
  • ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
LDAP_AUTHORIZED_GROUPS= When EXTERNAL_IDP_MODE is set to GroupsAccess, list the name(s) of the groups whose members will be authorized automatically.
MAIL_SMTP_HOST= SMTP server host name.
MAIL_SMTP_PORT= SMTP server port.
MAIL_SMTP_USERNAME= SPTP server username.
MAIL_SMTP_PASSWORD= SMTP server password.
MAIL_SMTP_SITE_URL= Site URL. Used to create a link in the emails.

Installing AppScan Central Platform

The install process sets up websites on ports 80, 443, and 8081. To avoid conflicts, make sure that no existing site on the installation machine uses any of these ports.

Ports 80 and 443 must be open for all AppScan 360° users in your organization.

This process installs peripheral software, updates Windows Server features, creates IIS components, and configures the products based on the AppScan 360° settings you configured.

To install the AppScan Central Platform:
  1. Open Windows PowerShell as an Administrator.
  2. Navigate to the AppScan 360° installation folder and run:
    .\install.ps1 -installdb
    After a few minutes, a confirmation shows that AppScan 360° is installed and ready to use.
    Important: To run scans you must activate AppScan 360° with a license key.
    Note: During this process, a copy of install.config, named ascp.config is saved in the same folder. This will be used when upgrading, to preserve your configuration.

In addition, the following installation options can be used to perform specific tasks:

Parameter Use to...
-installdb Create a new database or apply updates to an existing one.
-reconfigure Re-read the configuration settings from the AppScan360.config file or install an update package.
-sslpass Provide an SSL certificate password instead of providing it interactively during installation.

Configure connections to ASCP and the AppScan 360° server

SSL setting

AppScan 360° supports either a self-signed certificate (created automatically during installation) or a user-provided certificate.

Root CA certificate

ASCP installation creates a self-signed root CA certificate which is used to create internal certification for secure communication between ASCP and AppScan 360° Static Analysis. It encrypts all communication between ASCP and the various engines connected to it.

The certificate is installed in the “Root” certificate store of the local machine. After installation, the root CA certificate and private key are saved in:

The Root CA certificate must also be installed on every machine that accesses ASCP and the AppScan 360° server.

To see how to pass this certificate to AppScan 360° Static Analysis, refer to Static analysis (SAST)

Web application certificate

In addition to Root CA, you need a web application certificate:
  • Provide your organization’s SSL certificate for the AppScan 360° website. The supported certificate formats are PFX or Certificate and Key pair (PEM).
  • If not provided by the user, a web application certificate is created automatically, installed on the IIS server and bound to all ports that use HTTPS.
The certificate is installed on AppScan 360° machine, in the “Personal” certificate store, and is used only for the AppScan 360° website.


The following command performs a clean install, pre-sets the self signed certificate's password to Pass1234 and initializes the database:

.\installer.ps1 -installdb -sslPass Pass1234

The following command reconfigures (updates/upgrades) ASCP, and looks for the config file in a non-default directory.

 .\installer.ps1 -reconfigure -configPath C:\AppScan360.config