Installing all required components on one computer

In this scenario, all components are installed on one computer. This type of deployment is best suited for demonstration or training deployments, not full production environments.

About this task

This scenario is divided into several sections:
Note:
  1. This scenario assumes that the SQL Server database is installed and configured so that key information is available during configuration of AppScan Enterprise Server.
  2. If you already have a Rational License Key Server that is deployed on your network, skip to the Installing HCL AppScan Enterprise Server task.
  3. If you are upgrading from a previous version of AppScan Enterprise, read Replacing Jazz Team Server with WebSphere Liberty - Frequently asked questions before you begin upgrading.
  4. To migrate Jazz Team Users users to this new authentication method, export a .csv file of users by using the cd <install-dir>\Appscan Enterpise\JazzTeamServer\server\ repotools-jts.bat -exportUsers toFile=C:\users.csv repositoryURL=https://<hostname>:9443/jts before you begin upgrading to v9.0.1. Then follow the steps in this topic: Configuring a basic user registry for the Liberty profile to import the users into Liberty.

Installing HCL Rational License Key Server

The Rational License Key Server is used for hosting your AppScan Enterprise Server license. If you do not have a Rational License Key Server on your network, you can install it locally when you install AppScan Enterprise Server.

About this task

If you already have a supported version of Rational License Server that is installed, you can skip the portion of these instructions that cover Rational License Server installation - and proceed to the portion of the instructions that covers starting License Key Administrator and importing your license.)

Procedure

  1. Go to the directory where you downloaded the executable file (AppScanEnterpriseServerSetup_<version>.exe) and double-click the file. (The Rational License Key Server is bundled in this .exe file.)
    Note: It might take a while for the next screen to display.
  2. Click Yes when you are asked to install Rational License Key Server.
  3. In the Rational License Server installer, click Install or Update HCL Rational License Key Server.
  4. If HCL Installation Manager is not already installed on your system, it launches for installation purposes. Click Install.
  5. On the first page of the Install Packages wizard, ensure that the HCL Rational License Key Server check box, and check boxes for all entries beneath it, are selected. Click Next.
  6. In the Prerequisites page, you are instructed to close all applications and disable anti-virus software. Complete these precautionary tasks and then click Next.
  7. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next.
  8. In the Location page, specify the installation directory and then click Next.
  9. Complete the Package Group page according to your needs
    (for example, if you are using Installation Manager for the first time and have no existing package group, leave the default settings as-is). Click Next.
  10. In the Translation Selection page, select the national languages that you want to install. Click Next.
  11. On the Features page, ensure that all features are selected and then click Next.
  12. A summary of what is installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install.
  13. When the installation is complete, click Finish and close HCL Installation Manager.
  14. Start the HCL Rational License Key Administrator from the Windows Start menu (in the Programs menu, launch HCL Rational > License Key Administrator).
  15. When the HCL Rational License Key Administrator starts, you are prompted with the License Key Administrator wizard (if the wizard does not open automatically, select License Keys > License Key Wizard from the main menu). In this wizard, select Import a Rational License File and then click Next.
  16. In the Import a License File panel, click Browse and then browse to your AppScan Enterprise Server license file. Open the file with the browse dialog box and then click Import. This table maps the license names in LKAD to the license types in AppScan Enterprise.
    Table 1. AppScan Enterprise licenses

    AppScan licenses
    License What it is for
    AppScan Enterprise Dynamic Analysis Scanner Per Install License Key Dynamic Analysis Scanner
    AppScan Enterprise Dynamic Analysis User Authorized User Single Install License Key Authorized Scanning
    AppScan Enterprise Dynamic Analysis User Floating User Single Install License Key Floating Scanning
    AppScan Enterprise Server Basic Per Install License Key Enterprise Server Basic
    AppScan Enterprise Server Per Install License Key Enterprise Server Premium
    Appscan Enterprise Edition Reporting Only User Authorized User Single Install License Key Authorized Reporting
    Appscan Enterprise Edition Reporting Only User Floating User Single Install License Key Floating Reporting
  17. After you confirm the license or licenses to import, the Restart License Server dialog box will open. Click Yes to restart the license server. If the License Server service fails to start, open the Windows™ Services administrative tool. In the tool, locate FLEXlm License Manager and start it.

Results



Installing HCL AppScan Enterprise Server

Use this procedure to install the User Administration component and Enterprise Console for reporting and user administration tasks.

Before you begin

Make sure you read Required user account information during installation and configuration so that you know which user account to use during installation.

About this task

If you have a Rational License Key Server that is already deployed elsewhere on your network, start at Step 1; otherwise start at Step 2.

Procedure

  1. Go to the directory where you downloaded the compressed file (AppScanEnterpriseServerSetup_<version>.zip), extract the files, and double-click the AppScanEnterpriseServerSetup_<version>.exe file.
    Note: It might take a while for the next screen to display. The compressed file includes these files:
    • AppScanEnterpriseServerSetup_<version>.exe
    • HCL AppScan Enterprise Server.msi - do not run this file
    • Data1.cab
  2. If you do not already have Rational License Key Server that is installed on your network, install it when prompted, and follow the procedure in the Installing Rational License Key Server task. Otherwise, click No.
  3. In the Setup wizard Welcome screen, click Next.
  4. In the License Agreement window, select the I accept the terms in the license agreement option, and click Next.
  5. In the Destination Folder window, do one of the following actions and click Next:
    1. Click Next to accept the default installation location.
    2. Click Change to select a different installation location.
  6. In the Ready to Install the Program window, click Install to proceed with the installation.
  7. On the Setup Wizard Completed screen, click Finish to launch the Configuration Wizard.

Results



Running the Configuration wizard

After you install or upgrade the Server or Scanner, you must configure each installed component and run the Configuration wizard on all instances and on all servers.

Before you begin

  1. During configuration, you define the name and location of the SQL Server database to be used, and the service account name and password. The user who runs the configuration wizard must be able to create a database and grant rights.
  2. If you encounter an error "**WARNING** Unable to configure virtual directory "ase" for local directory "C:\Program Files (x86)\HCL\AppScan Enterprise\WebApp". Ensure IIS is configured properly and try again. ", consider disabling your antivirus software while you are running the configuration wizard. If you do not want to disable the antivirus software, you can exclude the AppScan Enterprise folder from the antivirus configuration, and run the configuration wizard again.

Procedure

  1. When the installation is complete, the Configuration wizard launches automatically. You can also start it by selecting Configuration Wizard from the Windows Start menu.
  2. In the Welcome screen, click Next.
  3. In the License Server window, specify the Rational License Server to use for licenses. See License Server.

    Do not check the AppScan Source standalone evaluation check box.
  4. In the Server Components window, select the components that you want to configure. The components available to you depend on your license. See Server Components. If you are installing the components on one machine, select all the check boxes, even if you have installed one of the components previously.

  5. In the Instance Name window, specify the name of the instance you want to configure. See Instance Name.

  6. In the Service Account window, enter the Domain/Username Service Account and password, and click Next. See Service Account.

  7. In the Database Connection window, enter the SQL Server name, port number, and the name of the database you are connecting to. You can click Test Connection to make sure you can connect to the SQL Server. The configuration wizard does not proceed until the connection is successful. When AppScan Enterprise Server creates the database in SQL Server, it automatically configures the collation for it.

    Note:
    1. The syntax for the SQL Server name has changed with the introduction of Liberty support. ".\SQL_SERVER_NAME" no longer works. Use "HOSTNAME\SQL_SERVER_NAME" instead.
    2. If you are upgrading an existing database from v8.6 or earlier, enter the Database Master Key Password on the next screen to access it. Keep this password in a secure location.
    3. If your environment uses a named SQL Server instance for the AppScan Enterprise database, make sure that TCP/IP is enabled in the SQL Server configuration manager, and restart the SQL services for SQL Server. Use the port number of the named SQL Server instance instead of the default port number (1443).
  8. In the Server Certificate window, choose a certificate specific to your organization. This step helps you deploy a secure AppScan Enterprise in your environment. See Server Certificate.

  9. (Upgrade only). In the Restore AppScan Server Settings screen, you can choose to restore previous AppScan Server customized settings on the Liberty Server (default). This screen appears once upon upgrade; if you run the configuration wizard later, this screen won't appear. See Restore AppScan Server settings.
  10. In the Server Keystore screen, select a server keystore to be used by the Enterprise Console. If you exported a .pfx file, select Public key cryptography standards #12 (PKCS #12). Browse to the location where you saved the .pfx file, import it and enter the password you created when you exported the file. See Server Keystore.

  11. In the Authentication Mechanism window, select an Authentication Mechanism to use to log in to the Enterprise Console. The default is to authenticate via Windows. To use LDAP, see Authentication Mechanism.

    Note: If you need to authenticate with the Common Access Card (CAC), make sure you choose LDAP as your authentication mechanism. Once AppScan Enterprise is configured, follow the instructions in Authenticating with the Common Access Card (CAC) to authenticate with CAC.
  12. In the Server Configuration window,

    1. Configure the host name and port of the Liberty server for AppScan Server to use. If you are using Windows authentication, prefix the host name with your domain name.
    2. While it is not a recommended practice, you can allow SSL connections with invalid or untrusted certificates during scanning. When the option is disabled, messages will appear in the scan log to indicate that the insecure server could not be reached for scanning. This option also affects the Manual Explore functionality.
    3. : Configure the Advisory services port (installed with the Enterprise Console). This port runs over HTTP and is used by the node.js server to provide advisories and fix recommendations. The advisories appear in the About this Issue page for the application issues, and provide fix recommendations. You can select a different port if 9444 is already used.
  13. (upgrade only) In the Database Encryption Changes window, click Help to learn how to protect the SQL Server where the database is located. If you decide not to enable TDE, select the check box so you can continue configuration.

    Note: AppScan Enterprise uses transparent data encryption (TDE) technology that is available in SQL Server 2008 and later. TDE encrypts the data that is stored in the database or in backups on physical media. If you are using an older version of SQL Server, any data that is contained in that database is at risk of compromise by unauthorized access.
  14. In the Product Administrator window, specify a user as Product Administrator. This user is licensed separately; if you want to reassign the Product Administrator license, you must rerun the configuration wizard. See Product Administrator.

  15. Ensure that nobody is accessing the database, and click Finish in the Specifications Complete window to complete the configuration. This process might take awhile.
    Note:
    1. IIS AppPool settings on Windows 2008 Server R2 are set during configuration:
      • IIS recycling is set at 2:00am
      • Idle timeout is set at 120 minutes
    2. If you see an error message that the proxy server certificate cannot be configured, it might be expired. Contact your Product Administrator to investigate further.
  16. Optional: Select the Start the Services check box to automatically start the services.
    Note: If you do not choose to automatically start the agent service, the agents do not pick up any jobs that are created by users. You can manually start the service by using the Administrative tools; see Verifying the agent service and alerting service installation.
  17. Run the Default Settings Wizard. This wizard helps you to install sample data in by providing defaults for a number of configurable options.
  18. Click Exit.

Running the Default Settings wizard

This wizard helps you install sample data in by providing defaults for a number of configurable options. You can create users, add security test policies, create scan templates, add pre-created dashboards, and configure defect tracking integration with Rational Quality Manager or Rational Team Concert.

About this task

Ensure that the Launch Default Settings Wizard check box is selected when the Configuration wizard finishes.

Procedure

  1. In the Welcome page, choose the instance that you want to update, and click Next.
  2. In the Initialization Type window, select one of the available initializations, and click Next.
  3. In the Default Setting window, configure the following options and click Next:
    1. Instance: Select the instance name for this setup. The Instance that was configured in the Configuration wizard is selected here by default.
    2. Contact: The name or a point of contact for the items that are created by the wizard. You can edit these items later if necessary.
    3. Root folder name: Enter a name for the default root folder. The default folder acts as the root folder for all other folders you create.
    4. Application URL: Enter the URL for the application users to access the application. By default, this URL is the current computer's FQDN (fully qualified domain name).
      (for example, http://myserver/mydomain/appscan/).
  4. (Windows authentication only): In the LDAP Settings page, select the Enable LDAP check box if you use an LDAP server.
    1. In the Server Name field, enter the LDAP group name.
    2. In the Group Query field, enter the path of the group query that is used to retrieve user group information. You can use an LDAP server or an Active Directory server.
    3. Optional: If you want to integrate with the LDAP server by using anonymous access, select the Anonymous access check box. This option is disabled by default.
    4. Click Test LDAP to confirm the configuration works.
  5. In the IP Security Permissions page, configure the IP addresses and ranges that are allowed for scanning. Use a dash to define IPv4 ranges (such as 1.2.3.4 - ); use a prefix to define IPv6 ranges (such as fe80::/10).
  6. In the Populate Database with Sample Data page, select the Populate Sample Data check box to populate the database with scan templates, pre-created dashboards, server groups, and test policies.
  7. Click Next. The Default Settings Wizard Progress page opens, displaying the setup's progress.
  8. When the wizard is complete, the Default Settings Wizard Complete page opens.
  9. Click Exit to close the wizard.

Installing HCL Dynamic Analysis Scanner

Use this procedure to install the agents that are used for scanning and testing your website applications.

Before you begin

Note:
  1. Make sure you read Required user account information during installation and configuration so that you know which user account to use during installation.
  2. Any technologies that you use on your website must also be installed with the Scanner. For example, if you use Flash on any web pages, you must have the correct version of Flash installed.

Procedure

  1. Go to the directory where you downloaded the executable file (ASE_DASSetup_<version>.exe) and double-click the file.
    Note: It might take a while for the next screen to display.
  2. In the License Agreement window, select the I accept the terms in the license agreement option, and click Next.
  3. Optional: In the Program Features window, select Web Services Explorer to add the ability to test web services for security vulnerabilities, and click Next.
    Note: Approximately 330 MB is required for the Web Services Explorer – GSC (Generic Service Client tool) version 8.1 that is used to test Web Services for security vulnerabilities
  4. In the Destination Folder window, click Next.
  5. In the Ready to Install the Program window, click Install to proceed with the installation, and then click Finish.

Results

Running the Configuration wizard

After you install or upgrade the Server or Scanner, you must configure each installed component and run the Configuration wizard on all instances and on all servers.

Before you begin

  1. During configuration, you define the name and location of the SQL Server database to be used, and the service account name and password. The user who runs the configuration wizard must be able to create a database and grant rights.
  2. Running the wizard after you install the AppScan Enterprise Server sets up the database on the SQL Server and does the initial setup of the component.
  3. Running the wizard after you install the Dynamic Analysis Scanner registers the Scanner with AppScan Enterprise Server.

Procedure

  1. When the installation is complete, the Configuration wizard launches automatically. You can also start it by selecting Configuration Wizard from the Windows Start menu.
  2. In the Welcome screen, click Next.
  3. In the License Server window, specify the Rational License Server to use for licenses. See License Server.

    Do not check the AppScan Source standalone evaluation check box.
  4. In the Server Components window, select the components that you want to configure. The components available to you depend on your license. See Server Components. If you are installing the components on one machine, select all the check boxes, even if you have installed one of the components previously.

  5. In the Instance Name window, specify the name of the instance you want to configure. See Instance Name.

  6. In the Service Account window, enter the Domain/Username Service Account and password, and click Next. See Service Account.

  7. In the Database Connection window, enter the SQL Server name, port number, and the name of the database you are connecting to. You can click Test Connection to make sure you can connect to the SQL Server. The configuration wizard does not proceed until the connection is successful. Enter the database name. When AppScan Enterprise Server creates the database in SQL Server, it automatically configures the collation for it.

    Note:
    1. If you are upgrading an existing database from v8.6 or earlier, enter the Database Master Key Password on the next screen to access it. Keep this password in a secure location.
    2. If your environment uses a named SQL Server instance for the AppScan Enterprise database, make sure that TCP/IP is enabled in the SQL Server configuration manager, and restart the SQL services for SQL Server. Use the port number of the named SQL Server instance instead of the default port number (1443).
  8. (upgrade only) In the Database Encryption Changes window, click Help to learn how to protect the SQL Server where the database is located. If you decide not to enable TDE, select the check box so you can continue configuration.

    Note: AppScan Enterprise uses transparent data encryption (TDE) technology that is available in SQL Server 2008 and later. TDE encrypts the data that is stored in the database or in backups on physical media. If you are using an older version of SQL Server, any data that is contained in that database is at risk of compromise by unauthorized access.
  9. Ensure that nobody is accessing the database, and click Finish in the Specifications Complete window to complete the configuration. This process might take awhile.
    Note:
    1. IIS AppPool settings on Windows 2008 Server R2 are set during configuration:
      • IIS recycling is set at 2:00am
      • Idle timeout is set at 120 minutes
    2. If you see an error message that the proxy server certificate cannot be configured, it might be expired. Contact your Product Administrator to investigate further.
  10. Optional: Select the Start the Services check box to automatically start the services.
    Note: If you do not choose to automatically start the agent service, the agents do not pick up any jobs that are created by users. You can manually start the service by using the Administrative tools; see Verifying the agent service and alerting service installation.
  11. Click Exit.

Verifying the installation of the Enterprise Console

After the installation process is complete, you can verify the installation of the Enterprise Console.

Procedure

Go to https://domain/ase/ and log in.