Configuring AppScan Source to use a local license server with a self-signed certificate
When use use a local license server with a self-signed or local CA certificate, you must import the local license server certificate to the client machine.
Importing a local license server certificate consists of three tasks:
- Exporting the certificate from the local license server.
- Adding the certificate to the JRE on the AppScan® Source application.
- Adding the certificate to the system’s root certificate.
Exporting the certificate from the local license server
To export the server certificate from the local license server:
- At the command prompt, type:
$keytool -export -keystore <flexnetls_install_dir>\server\<keystore_file> -alias <alias_name> -file license_server.cer
Where:
-
<flexnetls_install_dir>
specifies path to the local license server installation directory -
<keystore_file>
is the name of the keystore file. -
<alias_name>
is the same word you used when generating the certificate
-
- When prompted, enter the keystore password.
This creates a certificate file license_server.cer
in the current
working directory.
Adding the certificate to the JRE on the AppScan Source application
To add the certificate to the JRE:
- Copy the certificate file (
license_server.cer
) to each client system where the user will run AppScan Source. - Import the certificate to the local JRE keystore using the following
commands:
$ cd <appscan_scource_install>\jre\bin $ keytool -import -alias <alias_name > -file license_server.cer -keystore ..\lib\security\cacerts
Where:
<appscan_scource_install>
specifies path to the AppScan Source installation directory - When prompted, enter the keystore password. The default password is
changeit
. - When prompted whether to trust this certificate, repond
yes
.Trust this certificate? [no]: yes
Note: To connect to the server, the hostname field in the License Manager should use the same value as “CN” (Common Name). If the hostname is not resolvable from the client, add it to the hosts file of the operating system.
Adding the certificate to the system's root certificate
On Windows
To add certificates to the Trusted Root Certification Authorities store:
- Open Microsoft Management Control:
- From the WinX Menu in Windows 10/8.1, open Run box
- Type mmc and press Enter.
- Select .
- At the Add/Remove Snap-in dialog box, under Available Snap-ins, click Certificates.
- Click Add and then click OK.
- Select the appropriate account and then click Next.
- Select Local computer and click Finish.
- At the Add/Remove Snap-ins dialog box, click OK.
- Back at Microsoft Management Control, in the console tree, double-click on Certificates.
- Right-click Trusted Root Certification Authorities.
- Under All tasks, select Import.
- The Certificate Import Wizard opens.
- Follow the instructions in the wizard to complete the process.
On Linux
- Download a self-signed certificate directly from the license server using
following command:
$openssl s_client -connect <license_server_hostname>:<443> <<<'' | openssl x509 -out /path/cerfile.crt
- Find the location of cURL's default certificate store with
curl -v https://license_server_hostname
Output will list location. For example, * CAfile: /etc/pki/tls/certs/ca-bundle.crt
- Add certificate to the above
file:
cat /path/cerfile.crt >>/etc/pki/tls/certs/ca-bundle.crt
- Verify that you are able to connect to the license server using the curl
command
curl -v https://license_server_hostname
without additional options
Configure AppScan Source with local license server using non-SSL (HTTP) mode
You can also configure AppScan Source to connect to a Non-SSL (HTTP) local license server port. You can use this configuration for pre-production or testing, but we recommend using SSL in production for better security. To configure AppScan Source license manager with non-SSL mode:
- Make sure the non-SSL port is enabled in HCL local license server. By default, this is enabled on port 7070.
- Open <appscan_program_data>\config\license.ozsettings file
- Set the value of
license_use_ssl
attribute tofalse
"\ - Start the License manager and use the non-SSL port number to connect to local license server. You can either use the hostname or the IP address of the license server machine in non-SSL mode.