Installing IBM Security AppScan Enterprise

This guide describes what steps and actions are necessary to install a new instance of IBM Security AppScan Enterprise.
Note: If you change your mind about an answer, clear the form and start again.

Determine what you need to install

Do you need to perform blackbox security testing with AppScan Enterprise?

Select options that best describe your installation environment

Select the operating system that AppScan Enterprise will be installed on:

    Note: Microsoft Windows Server 2003 is no longer supported in this release.

Do you have a Rational License Key Server installed? To use this software product, a specific license key is required. Product licenses are acquired through the IBM License Key Center and installed on one or more Rational License Key Servers to serve and manage licenses in the enterprise.

The complete instructions to install IBM Security AppScan Enterprise are generated based on the selections that you made on the previous page.

Complete the planning checklist

Use this planning checklist to ensure that you are ready to install.

  Planning task More information
System Requirements: Check that the installation environment meets the recommended system requirements. Recommended system requirements
Service Account: Create the service account that will be used to run the AppScan Enterprise service. Verify that it is configured and ready to use. Service Account
SQL Server Configuration: Add service account database access to the Microsoft SQL server instance. SQL server service account configuration

SQL Server Database Encryption: The AppScan Enterprise database is not encrypted by default. Enable Transparent Data Encryption (TDE) on the SQL server. This step can be performed after installation.

SQL Server Database Encryption: The AppScan Enterprise database is not encrypted by default. Use the Encrpyting File System (EFS) feature on the SQL server. This step can be performed after installation.

Enable TDE

Enable EFS

Server certificates for Liberty: Export your server certificate from IIS as a .pfx file, and give it a password. It contains information that you need to use during configuration to ensure AppScan Enterprise works with WebSphere® Application Server Liberty Core. If you don't have a server certificate, create one from your certificate authority.

Using a certificate in your certificate store with Liberty
Download files: Download the setup files that are required to install AppScan Enterprise.
  • IBM Security AppScan Enterprise Server V9.0.3 Windows Multilingual (Part Number CN7L3ML)
  • IBM Security AppScan Enterprise Dynamic Analysis Scanner V9.0.3 Windows Multilingual (Part Number CN7L2ML)
  • Rational License Key Server V8.1.4 Multilingual (Part Number CRP2XML)
  • IBM Security AppScan Enterprise Server V9.0.3 Linux Multilingual (Part Number CN74ML)
  • AppScan Source V9.0.3 for Automation or Analysis (Part Number CN7L8ML, CN7LCML)
 Download instructions
Licenses: Generate, download and install the required license files.
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key
  • AppScan Enterprise Server License Key *
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key

* NOTE: For more information on what type of server and user license keys you have access to, refer to your sales order agreement, contact your purchasing agent, or view the licenses in the Rational License Key Center.

 Product and user licenses

Complete the planning checklist

Use this planning checklist to ensure that you are ready to install.

  Planning task More information
System Requirements: Check that the installation environments meet the recommended system requirements. Recommended system requirements
Service Account: Create the service account that will be used to run the AppScan Enterprise service. Verify that it is configured and ready to use. Service Account
Download files: Download the setup files that are required to install AppScan Enterprise.

IBM Security AppScan Enterprise Server V9.0.3 Windows Multilingual (Part Number CN7L3ML)

IBM Security AppScan Enterprise Dynamic Analysis Scanner V9.0.3 Windows Multilingual (Part Number CN7L2ML)

Rational License Key Server V8.1.4 Multilingual (Part Number CRP2XML)

IBM Security AppScan Enterprise Server V9.0.3 Linux Multilingual (Part Number CN74ML)

AppScan Source V9.0.3 for Automation or Analysis (Part Number CN7L8ML, CN7LCML)

 Download instructions
Licenses: Generate and download the required license files.
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key
  • AppScan Enterprise Server License Key *
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key
  • AppScan Enterprise Server License Key *
  • Appscan Enterprise User License Key(s) *
  • AppScan Enterprise Dynamic Analysis Scanner Per Install License Key

* NOTE: For more information on what type of server and user license keys you have access to, refer to your sales order agreement, contact your purchasing agent, or view the licenses in the Rational License Key Center.

 Product and user licenses

Multi-server installation

The multi-server installation is useful for production or medium-sized teams and multiple server deployments. In this type of installation, databases are installed on a single database server and each component is installed on a dedicated server.

Typical installation configuration:

Production topology example with multiple servers (Recommended configuration)

Single server installation

Note: The single server installation is a general representation of an evaluation installation. The SQL Server database is installed on a separate server.

Typical installation configuration:

Production topology example with multiple servers (Recommended configuration)

Installing IBM Rational License Key Server on a remote server:

Dynamic Analysis Scanner Installation steps

AppScan Enterprise Installation steps

Use this procedure to install the agents that are used for scanning and testing your website applications.

Installation steps for AppScan Enterprise

NOTE: IIS will be installed/configured automatically and does not require any action on your part.

  1. Log in to server: Log in to the server with the service account created above or with an account that has local administrative permissions.
  2. Log in to server: Log in to the server with the service account created above or with an account that has local administrative permissions and database owner permissions.
    • Install/verify IIS is installed and configured correctly: For Microsoft Windows Server 2008, IIS needs to be installed and configured manually. Install IIS 7 as described in Installing IIS 7 on Windows Server 2008. In Step 8 under "Install IIS 7.0 on Windows Server 2008", make sure the following features are selected to install:

      • Common HTTP Features (all components except HTTP Redirection)
      • Application Development (ASP.NET, ISAPI Extensions, ISAPI Filters)
      • Health and Diagnostics (HTTP Logging, Request Monitor)
      • Security (Basic and Windows Authentication)
      • Performance (Static Content Compression)
      • Management Tools (IIS Management console)
      • IIS 6 Management Compatibility (All)

  3. Run the installer: Go to the directory where you downloaded the executable file (AppScanEnterpriseServerSetup_9.0.3.exe) and double-click the file. Note: It might take a while for the next screen to display.
  4. Run the installer:IBM Security AppScan Enterprise Dynamic Analysis Scanner V9.0.3 Windows Multilingual (ASE_DASSetup_9.0.3.exe).
  5. Installing Microsoft .NET 4.6.2 Framework: After running the installer, if Microsoft .NET 4.6.2 is not currently installed, a prompt will appear asking you to install the framework. Select Yes to install because the .NET Framework must be installed for the program to function.
  6. Installing IBM Rational License Key Server: After running the installer, click Yes when you are asked to install Rational License Key Server and perform the following steps:

    1. In the Rational License Server installer, click Install or Update IBM Rational License Key Server .
    2. If IBM® Installation Manager is not already installed on your system, it launches for installation purposes. Click Install.
    3. On the first page of the Install Packages wizard, ensure that the IBM Rational License Key Server check box, and check boxes for all entries beneath it, are selected. Click Next.
    4. In the Prerequisites page, you are instructed to close all applications and disable anti-virus software. Complete these precautionary tasks and then click Next.
    5. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next.
    6. In the Location page, specify the installation directory and then click Next.
    7. Complete the Package Group page according to your needs (for example, if you are using Installation Manager for the first time and have no existing package group, leave the default settings as-is). Click Next.
    8. In the Translation Selection page, select the national languages that you want to install. Click Next.
    9. On the Features page, ensure that all features are selected and then click Next.
    10. A summary of what is installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install.
    11. When the installation is complete, click Finish and close IBM Installation Manager.
    12. Start the IBM Rational License Key Administrator from the Windows Start menu (in the Programs menu, launch IBM Rational > License Key Administrator ).
    13. When the IBM Rational License Key Administrator starts, you are prompted with the License Key Administrator wizard (if the wizard does not open automatically, select License Keys > License Key Wizard from the main menu). In this wizard, select Import a Rational License File and then click Next.
    14. In the Import a License File panel, click Browse and then browse to your AppScan Enterprise Server license file. Open the file with the browse dialog box and then click Import.
    15. After you confirm the license or licenses to import, the Restart License Server dialog box will open. Click Yes to restart the license server. If the License Server service fails to start, open the Windows Services administrative tool. In the tool, locate FLEXlm License Manager and start it.
  7. IBM Rational License Key Server - Remote: After running the installer, if the Rational License Key Server is not currently installed locally, a prompt will appear asking you to install the License Key Server. Select No because the license server was installed on a remote server.

  8. AppScan Enterprise Installer
    1. In the Setup wizard Welcome screen, click Next.
    2. In the License Agreement window, select the I accept the terms in the license agreement option, and click Next.
    3. In the Program Features window, select the Web Services Explore option if web service security scanning will be performed and click Next.
    4. In the Destination Folder window, do one of the following actions and click Next:
      1. Click Next to accept the default installation location.
      2. Click Change to select a different installation location.
    5. In the Ready to Install the Program window, click Install to proceed with the installation.
    6. On the Setup Wizard Completed screen, click Finish.

Configuration Wizard steps

After you install AppScan Enterprise, you must run the Configuration wizard to configure the installed component.
After you install the Dynamic Analysis Scanner, you must run the Configuration wizard to configure the installed component.
After you install AppScan Enterprise, you must run the Configuration wizard to configure the installed components.
  1. License Server: In the License Server window, specify the Rational License Server to use for licenses. See License Server.
  2. Server Components: In the Server Components window, select the components that you want to configure. The components available to you depend on your license. See Server Components. If you are installing the components on one machine, select all the check boxes, even if you have installed one of the components previously.

    • User Administration
    • User Administration
    • Enterprise Console
    • Dynamic Analysis Scanner
    • Enterprise Console
    • User Administration
    • Enterprise Console
    • User Administration
    • Enterprise Console

  3. Instance name: Name of IIS instance (Leave this option as default unless there is reason to change the value)
  4. Service Account: In the Service Account window, enter the Domain/Username Service Account and password, and click Next. See Service Account.
  5. Database Connection: In the Database Connection window, enter the SQL Server name, port number, and the name of the database you are connecting to. You can click Test Connection to make sure you can connect to the SQL Server. The configuration wizard does not proceed until the connection is successful. When AppScan Enterprise Server creates the database in SQL Server, it automatically configures the collation for it.

    Note:

    • If you are upgrading an existing database from v8.6 or earlier, enter the Database Master Key Password on the next screen to access it. Keep this password in a secure location.
    • If your environment uses a named SQL Server instance for the AppScan Enterprise database or SQL Server Express, make sure that TCP/IP is enabled in the SQL Server configuration manager, and restart the SQL services for SQL Server and SQL Server browser. For example, if you specify the instance name as:SQL Server or Server\Instance name: <sql_server_host>\<sql_server_instance> instead of SQL Server or Server\Instance name: <sql_server_host>.

  6. Server Certificate: In the Server Certificate window, choose a certificate specific to your organization. This step helps you deploy a secure AppScan Enterprise in your environment.
  7. Server Keystore: In the Server Keystore screen, select a server keystore to be used by the Enterprise Console. If you exported a .pfx file, select Public key cryptography standards #12 (PKCS #12). Browse to the location where you saved the .pfx file, import it and enter the password you created when you exported the file. Service Keystore.
  8. Authentication Mechanism: In the Authentication Mechanism window, select an Authentication Mechanism to be used to log in to the Enterprise Console. See Authentication Mechanism

    • Select 'Authenticate via Windows'
    • Select 'Authenticate via LDAP'

    9. Note: If you need to authenticate with the Common Access Card (CAC), make sure you choose LDAP as your authentication mechanism. Once AppScan Enterprise is configured, follow the instructions in Authenticating with the Common Access Card (CAC) to authenticate with CAC.

  9. In the Server Configuration window,
    1. Configure the host name and port of the Liberty server for AppScan Server to use. If you are using Windows authentication, prefix the host name with your domain name.
    2. While it is not a recommended practice, you can allow SSL connections with invalid or untrusted certificates during scanning. When the option is disabled, messages will appear in the scan log to indicate that the insecure server could not be reached for scanning. This option also affects the Manual Explore functionality.
    3. : Configure the Advisory services port (installed with the Enterprise Console). This port runs over HTTP and is used by the node.js server to provide advisories and fix recommendations. The advisories appear in the About this Issue page for the application issues, and provide fix recommendations. You can select a different port if 9444 is already used.
  10. Product Administrator: Enter in the username and password for the user that will be the Product Administrator.
  11. Ensure that nobody is accessing the database, and click Finish in the Specifications Complete window to complete the configuration. This process might take awhile.
  12. Optional: Select the Start the Services check box to automatically start the services. Note: If you do not choose to automatically start the agent service, the agents do not pick up any jobs that are created by users. You can manually start the service by using the Administrative tools; see Verifying the agent service and alerting service installation.

Running the Default Settings wizard

This wizard helps you install sample data in by providing defaults for a number of configurable options. You can create users, add security test policies, create scan templates, add pre-created dashboards, and configure defect tracking integration with Rational Quality Manager or Rational Team Concert.

About this task

Ensure that the Launch Default Settings Wizard check box is selected when the Configuration wizard finishes.

Procedure

  1. In the Welcome page, choose the instance that you want to update, and click Next.
  2. In the Initialization Type window, select one of the available initializations, and click Next.
  3. In the Default Setting window, configure the following options and click Next:
    1. Instance: Select the instance name for this setup. The Instance that was configured in the Configuration wizard is selected here by default.
    2. Contact: The name or a point of contact for the items that are created by the wizard. You can edit these items later if necessary.
    3. Root folder name: Enter a name for the default root folder. The default folder acts as the root folder for all other folders you create.
    4. Application URL: Enter the URL for the application users to access the application. By default, this URL is the current computer's FQDN (fully qualified domain name). (for example, http://myserver/mydomain/appscan/).
  4. In the LDAP Settings page, select the Enable LDAP check box if you use an LDAP server.
    1. In the Server Name field, enter the LDAP group name.
    2. In the Group Query field, enter the path of the group query that is used to retrieve user group information. You can use an LDAP server or an Active Directory server.
    3. Optional: If you want to integrate with the LDAP server by using anonymous access, select the Anonymous access check box. This option is disabled by default.
    4. Click Test LDAP to confirm the configuration works.
  5. In the IP Security Permissions page, configure the IP addresses and ranges that are allowed for scanning. Use a dash to define IPv4 ranges (such as 1.2.3.4–); use a prefix to define IPv6 ranges (such as fe80::/10).
  6. In the Populate Database with Sample Data page, select the Populate Sample Data check box to populate the database with scan templates, pre-created dashboards, server groups, and test policies.
  7. Click Next. The Default Settings Wizard Progress page opens, displaying the setup's progress.
  8. When the wizard is complete, the Default Settings Wizard Complete page opens.
  9. Click Exit to close the wizard.

Optional: Verifying the installation of the Enterprise Console

After the installation process is complete, you can verify the installation of the Enterprise Console.

Dynamic Analysis Scanner Installation steps

Use this procedure to install the agents that are used for scanning and testing your website applications.

  1. Log into server: Login to the server with the service account created above or an account with local administrative permissions and database owner permissions
  2. Run the installer: IBM Security AppScan Enterprise Dynamic Analysis Scanner V9.0.3 Windows Multilingual (ASE_DASSetup_9.0.3.exe)
  3. Installing Microsoft .NET 4.6.2 Framework: After running the installer, if Microsoft .NET 4.6.2 is not currently installed, a prompt will appear asking to install the framework. Select Yes to install, because the .NET Framework must be installed for the program to function.
  4. Dynamic Analysis Installer:
    1. In the Setup wizard Welcome screen, click Next.
    2. In the License Agreement window, select the I accept the terms in the license agreement option, and click Next.
    3. In the Program Features window, select the Web Services Explore option if web service security scanning will be performed and click Next.
    4. In the Destination Folder window, do one of the following actions and click Next:
      1. Click Next to accept the default installation location.
      2. Click Change to select a different installation location.
    5. In the Ready to Install the Program window, click Install to proceed with the installation.
    6. On the Setup Wizard Completed screen, click Finish.

Configuration Wizard steps for Dynamic Analysis Scanner

After you install the Dynamic Analysis Scanner, you must run the Configuration wizard to configure the installed component.
  1. License Server: In the License Server window, specify the Rational License Server to use for licenses. See License Server.
  2. Server Components: In the Server Components window, select the components that you want to configure. The components available to you depend on your license. See Server Components.

    • User Administration
    • User Administration
    • Enterprise Console
    • Dynamic Analysis Scanner
    • Enterprise Console
    • User Administration
    • Enterprise Console
    • Dynamic Analysis Scanner
    • User Administration
    • Enterprise Console
    • Dynamic Analysis Scanner

  3. Instance name: This window displays the IIS Instance name. Leave this option as the default, unless you have a reason to change it.
  4. Authentication Mechanism: In the Authentication Mechanism window, select this Authentication Mechanism to be used to log in to the Enterprise Console. See Authentication Mechanism.

    • Select 'Authenticate via Windows'
    • Select 'Authenticate via LDAP'

  5. Service Account: In the Service Account window, enter the Domain/Username Service Account and password, and click Next. See Service Account.
  6. Database Connection: In the Database Connection window, enter the name of the database server, or select one from the SQL Server or Server\Instance name list. Enter the database name. When AppScan Enterprise Server creates the database in SQL Server, it automatically configures the collation for it.
  7. Server Certificate: In the Server Certificate window, enable HTTPS for the Enterprise Console to help ensure stronger security protection, and choose a certificate specific to your organization. This step helps you deploy a secure AppScan Enterprise in your environment.
  8. In the Server Configuration window,
    1. Configure the host name and port of the Liberty server for AppScan Server to use. If you are using Windows authentication, prefix the host name with your domain name.
    2. While it is not a recommended practice, you can allow SSL connections with invalid or untrusted certificates during scanning. When the option is disabled, messages will appear in the scan log to indicate that the insecure server could not be reached for scanning. This option also affects the Manual Explore functionality.
    3. : Configure the Advisory services port (installed with the Enterprise Console). This port runs over HTTP and is used by the node.js server to provide advisories and fix recommendations. You can select a different port if 9444 is already used.
  9. Product Administrator: Enter the username and password for the user that will be the Product Administrator.
  10. Ensure that nobody is accessing the database, and click Finish in the Specifications Complete window to complete the configuration. This process might take awhile.
  11. Optional: Select the Start the Services check box to automatically start the services. Note: If you do not choose to automatically start the agent service, the agents do not pick up any jobs that are created by users. You can manually start the service by using the Administrative tools; see Verifying the agent service and alerting service installation.

Installing the User Component on Linux for AppScan Source

Use these instructions to install the User Administration component to configure AppScan® Source users.
  1. On the Linux computer, log in with root access privileges.
  2. Type ls -l AppScanServerSetup_9.0.3.bin. Make sure that you see -rwxrwxr-x in the result listing.
  3. Run the .bin file. Type ./AppScanServerSetup_9.0.3.bin, and click Enter to start the installer.
  4. Pick a language for installation and click OK > Next.
  5. Accept the terms of the license agreement.
  6. Choose an installation folder (the default location is /opt/IBM/AppScan_Server).
  7. Review the installation summary and click Install. The files are copied onto the Linux computer.
  8. Configure the Liberty Server name, port number (the default is 9443), and the Rational License Server name . Click Next.
  9. Configure the LDAP settings. Select an LDAP server type . Some of the LDAP configuration fields are pre-populated for you. Check that they are correct for your environment.
    1. If your LDAP server supports SSL, select the Connect to LDAP server using SSL check box.
    2. Enter the LDAP server host name and port (389 is default), and the Base DN.
    3. If you need to be authenticated on the LDAP server, enter the Bind DN and the Bind password. Click Next.
  10. Configure the product administrator’s user name, and click Next. After the Liberty service is configured, the installation is complete.
Now an AppScan Source administrator can connect to the AppScan Server on Linux to validate and administer their users.

Configuring AppScan Source Database with AppScan Enterprise Console

After you finish configuring AppScan Enterprise, you must run the AppScan Source installer to install and configure your AppScan Source Database.

Configuring AppScan Source Database with AppScan Enterprise Console

After you finish configuring AppScan Enterprise, you must run the AppScan Source installer to install and configure your AppScan Source Database.
  1. Installing AppScan Source components in a multi-machine environment
  2. Install and configure AppScan Source Database
  3. Registering the AppScan Source Database with AppScan Enterprise Server

Performance FAQs

Performance FAQs