Configuring AppScan Source to use a local license server with a self-signed certificate

When use use a local license server with a self-signed or local CA certificate, you must import the local license server certificate to the client machine.

Importing a local license server certificate consists of three tasks:

  1. Exporting the certificate from the local license server.
  2. Adding the certificate to the JRE on the AppScan® Source application.
  3. Adding the certificate to the system’s root certificate.

Exporting the certificate from the local license server

To export the server certificate from the local license server:

  1. At the command prompt, type:
    $keytool -export -keystore <flexnetls_install_dir>\server\<keystore_file> -alias <alias_name> -file license_server.cer

    Where:

    • <flexnetls_install_dir> specifies path to the local license server installation directory
    • <keystore_file> is the name of the keystore file.
    • <alias_name> is the same word you used when generating the certificate
  2. When prompted, enter the keystore password.

This creates a certificate file license_server.cer in the current working directory.

Adding the certificate to the JRE on the AppScan Source application

To add the certificate to the JRE:

  1. Copy the certificate file (license_server.cer) to each client system where the user will run AppScan Source.
  2. Import the certificate to the local JRE keystore using the following commands:
     $ cd <appscan_scource_install>\jre\bin
 $ keytool -import -alias <alias_name > -file license_server.cer -keystore ..\lib\security\cacerts

    Where:

    <appscan_scource_install> specifies path to the AppScan Source installation directory

  3. When prompted, enter the keystore password. The default password is changeit.
  4. When prompted whether to trust this certificate, repond yes.
    Trust this certificate? [no]: yes

    Note: To connect to the server, the hostname field in the License Manager should use the same value as “CN” (Common Name). If the hostname is not resolvable from the client, add it to the hosts file of the operating system.

Adding the certificate to the system's root certificate

On Windows

To add certificates to the Trusted Root Certification Authorities store:

  1. Open Microsoft Management Control:
    1. From the WinX Menu in Windows 10/8.1, open Run box
    2. Type mmc and press Enter.
  2. Select File > Add/Remove Snap-in.
  3. At the Add/Remove Snap-in dialog box, under Available Snap-ins, click Certificates.
  4. Click Add and then click OK.
  5. Select the appropriate account and then click Next.
  6. Select Local computer and click Finish.
  7. At the Add/Remove Snap-ins dialog box, click OK.
  8. Back at Microsoft Management Control, in the console tree, double-click on Certificates.
  9. Right-click Trusted Root Certification Authorities.
  10. Under All tasks, select Import.
  11. The Certificate Import Wizard opens.
  12. Follow the instructions in the wizard to complete the process.

On Linux

  1. Download a self-signed certificate directly from the license server using following command:
     $openssl s_client -connect <license_server_hostname>:<443> <<<'' | openssl x509 -out /path/cerfile.crt
  2. Find the location of cURL's default certificate store with curl -v https://license_server_hostname

    Output will list location. For example, * CAfile: /etc/pki/tls/certs/ca-bundle.crt

  3. Add certificate to the above file:
     cat /path/cerfile.crt >>/etc/pki/tls/certs/ca-bundle.crt
  4. Verify that you are able to connect to the license server using the curl command curl -v https://license_server_hostname without additional options

Configure AppScan Source with local license server using non-SSL (HTTP) mode

You can also configure AppScan Source to connect to a Non-SSL (HTTP) local license server port. You can use this configuration for pre-production or testing, but we recommend using SSL in production for better security. To configure AppScan Source license manager with non-SSL mode:

  1. Make sure the non-SSL port is enabled in HCL local license server. By default, this is enabled on port 7070.
  2. Open <appscan_program_data>\config\license.ozsettings file
  3. Set the value of license_use_ssl attribute to false"\
  4. Start the License manager and use the non-SSL port number to connect to local license server. You can either use the hostname or the IP address of the license server machine in non-SSL mode.