Deploying a Java IAST agent

You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Java agent type on your web server.

Before you begin

The simplest and most effective way to use IAST is to deploy it as a WAR file servlet on your web server. When this is not possible, for example when running IAST on a Quarkus framework, the IAST agent can be installed as a Java agent using a JAR file.
Support: Only web application servers running JRE/JDK 1.8 or higher are supported.
  1. If the server where IAST is running is behind a proxy:
    • For a transparent proxy, use any one of the following Java properties when running the server:
      • Standard Java properties:
        -Dhttps.proxyHost={proxy_ip} -Dhttps.proxyPort={proxy_port}
      • Custom Java properties:
        -DIast.proxyHost={proxy_ip} -DIast.proxyPort={proxy_port}
      • Environment variables:
        IAST_PROXY_HOST={proxy_ip} IAST_PROXY_PORT={proxy_port}
    • If a certificate is needed to communicate externally (for example, to pass a transparent proxy), supply a valid certificate and run the following command to import it to the keystore:
      Note: If you have installed JRE with default settings, the keystore name is cacerts and it is protected by the password changeit. Otherwise, replace the -storepass, -keystore, and -file values with your own.
      keytool.exe -import 
                                        -storepass "changeit" 
                                        -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" 
                                        -alias certificate.cer 
                                        -file "C:\certificate.cer" 
                                        -noprompt
  2. For IAST agent versions prior to 1.14.2, if both the compile-time and the runtime Java versions are 9 or higher, add the following flag to the java run command:
    –Djava.lang.invoke.stringConcat=BC_SB

Procedure

  1. Download the ASoC Java IAST agent, as described here.
  2. Extract the contents of the ZIP file.
  3. Deploy the IAST agent as either WAR servlet or JAR file:
    Deploy as a WAR servlet:
    1. Locate Secagent.war in the root of the extracted ZIP file:
    2. Follow the instructions for your server:
      • Tomcat server / Jetty server: Copy Secagent.war to your webapps folder, or deploy it as you would any other WAR servlet.
      • WebSphere server: Deploy Secagent.war as you would any other WAR servlet.
        Note: Make sure to:
        1. Deploy the agent as a web application, not an enterprise application
        2. Select /Secagent as the context root
      • WebSphere Liberty server / Open Liberty server: Copy Secagent.war to your dropins folder, or deploy it as you would any other WAR servlet.
      • Jboss/WildFly server / JBoss EAP server: Copy Secagent.war to the deployments folder, or deploy it as you would any other WAR servlet.
      • Weblogic: Deploy Secagent.war as you would any other WAR servlet.
    3. To verify the deployment, open any browser and browse to:
      http://<server address>/Secagent
      The Secagent page opens, showing that the agent has been loaded successfully. As you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually), the IAST Agent monitors requests as they are sent, and reports on security issues it finds.
    Deploy as a JAR file:

    Use this deployment method when it is not possible to deploy the IAST agent as a WAR file. For example, when running IAST on a Quarkus framework. In this deployment method, the IAST agent will run as a Java agent.

    1. In the jar_deployment folder locate secagent.jar
    2. Add the following flag to your app command line:
      -Djavaagent:<path to secagent.jar>
    3. To verify the deployment, check the stdout for messages starting with "[IAST Secagent]".
    The agent is now installed. As you use or test your application (by running functional tests, a dynamic scan, or exploring the application manually), the IAST agent will monitor requests and report any security issues it finds.

Running a Java agent with security manager

About this task

You can run the Java agent with security manager:

  • As a war file on Tomcat or
  • As a jar file on servers other than Tomcat. Contact the AppScan support team for guidance.

To run the Java agent with security manager as war on Tomcat:

Procedure

  1. Locate the catalina.policy file.
    The catalina.policy file is usually located in the Tomcat installation configuration directory. The exact path might vary depending on your operating system and Tomcat version.
  2. Open the catalina.policy file in a text editor.
  3. Locate the "grant" block.

    Look for a block starting with the keyword "grant" followed by one or more "permission" statements.

  4. Add the required permissions as follows:
    1. Inside the "grant" block, add the following permission: 
      permission java.lang.RuntimePermission "net.bytebuddy.*";
    2. At the end of the file, add the following permission: 
      grant codeBase "file:${catalina.base}/webapps/Secagent/-" {
                                    permission java.security.AllPermission;
                                    };
  5. Save the catalina.policy file.
  6. Restart the Tomcat server to apply the changes.