Deploy IAST Agent

Install the IAST Agent on your application server, and configure the scan.

About this task

You need to deploy the IAST agent on the application server, so it can monitor communictaion with the application, and report to ASoC.
Support: Only web application servers running JRE/JDK 1.8 or higher are supported.

Deploy Java IAST agent

Procedure

  1. If the server where IAST is running sits behind a proxy:
    • If there is a transparent proxy, you must set the following java properties when running the server:
      -Dhttps.proxyHost={proxy_ip} -Dhttps.proxyPort={proxy_port}
    • If a certificate is needed to communicate externally (for example, to pass a transparent proxy), you must supply a valid certificate, and run the following command to import it to the keystore.
      Note: If you have installed JRE with default settings, the keystore name is cacerts and it is protected by the password changeit. Otherwise, replace the -storepass, -keystore, and -file values with your own.
      keytool.exe -import 
      -storepass "changeit" 
      -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" 
      -alias certificate.cer 
      -file "C:\certificate.cer" 
      -noprompt
      
  2. Follow the instructions for your server:
    • Tomcat server: Copy the Secagent.war file, that you downloaded from the ASoC scan configuration wizard, to your webapps folder, or deploy it as you would any other WAR servlet.
    • WebSphere server: Deploy the Secagent.war file, that you downloaded from the ASoC scan configuration wizard, as you would any other WAR servlet.
      Note: Make sure to:
      1. Deploy the agent as a web application, not an enterprise application
      2. Select /Secagent as the context root
    • WebSphere Liberty / Open Liberty server: Copy the Secagent.war file, that you downloaded from the ASoC scan configuration wizard, to your dropins folder, or deploy it as you would any other WAR servlet.
    • Jboss/WildFly server: Copy the Secagent.war file, that you downloaded from the ASoC scan configuration wizard, to your deployments folder, or deploy it as you would any other WAR servlet.
    • Weblogic: Deploy the Secagent.war file, that you downloaded from the ASoC scan configuration wizard, as you would any other WAR servlet.
  3. To verify the deployment, open any browser and browse to:
    http://<server address>/Secagent
    The Secagent page opens, showing that the agent has been loaded successfully. As you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually), the IAST Agent monitors requests as they are sent, and reports on security issues it finds.

Deploy .NET Framework IAST agent

About this task

Use the NuGet Package Manager to add the IAST agent to your application. The example uses Visual Studio.

Procedure

  1. Open Visual Studio and go to Menu > Tools > Options > NuGet Package Manager > Package Source.
  2. Select the folder containing the SecAgent package.
  3. Click the + sign and give the new source a name.
  4. In the Solution Explorer, right-click on the project you want IAST to monitor, and click on Manage NuGet Packages.
  5. Type com.HCL.AppScan.IAST.agent in the search bar and select the first package in the results.
  6. Click Install.

    The agent is now installed. As you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually), the IAST Agent monitors requests as they are sent, and reports on security issues it finds.

Deploy Node.js IAST agent

Procedure

  1. Generate a key for the Node.js agent (through the UI or API).
  2. On your web server:
    1. Add environment variable: IAST_ACCESS_TOKEN: [key]
    2. Open the command prompt and run: npm install --save @hclsoftware/secagent
    3. Edit package.json by locating this line:
      "start": "node index.js",
      and changing it to this:
      "start": "node -r @hclsoftware/secagent/src/Iast.js index.js",
  3. Start your application using npm start