Preview only show first 10 pages with watermark. For full document please download

Ibm Security Appscan Source: Installation And Administration Guide

Rating
Date

November 2018
Size

1.2MB
Views

1,874
Categories

Computers & electronics Software Computer utilities Database software

Transcript

IBM Security AppScan Source Version 9.0.1 Installation and Administration Guide IBM Security AppScan Source Version 9.0.1 Installation and Administration Guide (C) Copyright IBM Corp. and its licensors 2003, 2014. All Rights Reserved. IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at http://www.ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program. Contents Chapter 1. Introduction to IBM Security AppScan Source . . . . . . . . . . . 1 Chapter 4. Upgrading AppScan Source What's New in AppScan Source . . . . . . . . 2 Migrating to the current version of AppScan Source 4 Migrating from Version 9.0 . . . . . . . . 4 Migrating from Version 8.7 . . . . . . . . 4 Important concepts . . . . . . . . . . . . 6 Classifications . . . . . . . . . . . . . 7 Workflow . . . . . . . . . . . . . . 7 AppScan Source deployment models . . . . . . 8 Standard desktop deployment . . . . . . . 9 Small workgroup deployment . . . . . . . 10 Enterprise workgroup deployment . . . . . 12 United States government regulation compliance . . 14 AppScan Source and accessibility . . . . . . . 15 Chapter 5. Advanced installation and activation topics . . . . . . . . . . 53 Chapter 2. System requirements and installation prerequisites . . . . . . . 17 71 71 74 AppScan Source language and framework support 17 AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux . . . . . . . . . . . 20 Chapter 3. Sample installation scenarios . . . . . . . . . . . . . 23 Installing all required components on one machine Installing IBM Rational License Server . . . . Installing IBM Security AppScan Enterprise Server . . . . . . . . . . . . . . . Installing AppScan Source . . . . . . . . Logging into AppScan Source . . . . . . . Installing AppScan Source components in a multi-machine environment . . . . . . . . . Installing IBM Rational License Server on Machine A. . . . . . . . . . . . . . Installing IBM Security AppScan Enterprise Server on Machine B . . . . . . . . . . Installing AppScan Source client products on Machine C. . . . . . . . . . . . . . Installing the AppScan Source Database on Machine D . . . . . . . . . . . . . Logging into AppScan Source . . . . . . . Installing AppScan Source and integrating it with an existing AppScan Enterprise Server . . . . . . Installing AppScan Source . . . . . . . . Logging into AppScan Source . . . . . . . Migrating Rational AppScan Source Edition Version 8.0.x or earlier to Version 8.6.x . . . . . . . . Installing IBM Rational License Server . . . . Installing Rational AppScan Enterprise Server . . Upgrading Rational AppScan Source Edition . . Logging into Rational AppScan Source Edition © Copyright IBM Corp. 2003, 2014 24 24 25 26 30 30 31 32 33 35 38 39 39 43 44 44 45 46 48 49 Starting the installation wizard . . . . . . . . Installation and user data file locations . . . . . Changing the AppScan Source data directory . . AppScan Enterprise Server overview . . . . . . Installing the database and configuring connections to AppScan Enterprise Server . . . . . . . . Install and configure IBM solidDB . . . . . . Install to an existing Oracle database . . . . . Registering the AppScan Source Database with AppScan Enterprise Server . . . . . . . . Backing up the AppScan Source Database . . . Restoring the AppScan Source IBM solidDB database . . . . . . . . . . . . . . Installing AppScan Source on OS X . . . . . . Installing AppScan Source for Development . . . AppScan Source for Development (plug-in for Eclipse, IBM Worklight, and Rational Application Developer for WebSphere Software (RAD)) . . . Installing the AppScan Source for Development plug-in for Visual Studio . . . . . . . . . Installing AppScan Source for Automation . . . . Syntax . . . . . . . . . . . . . . . Fix pack installation . . . . . . . . . . . 54 55 56 58 59 59 63 69 70 74 78 79 81 81 Chapter 6. Customizing the AppScan Source installation . . . . . . . . . 85 Creating a custom or silent installation . . . . Launching the Installation Configuration Wizard Using the Custom Installation Configuration Wizard . . . . . . . . . . . . . . Running a custom or silent installation . . . . Example: Install AppScan Source through a custom installation . . . . . . . . . . . . . . 85 86 . 86 . 88 . 89 Chapter 7. AppScan Source silent installers . . . . . . . . . . . . . . 91 Creating a custom or silent installation . . . . . Launching the Installation Configuration Wizard Using the Custom Installation Configuration Wizard . . . . . . . . . . . . . . . Running a custom or silent installation . . . . . Example: Install AppScan Source silently through an Installation Framework . . . . . . . . . . 91 91 92 94 95 Chapter 8. Activating the software . . . 97 Importing a license file Using a floating license Viewing licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 . 98 . 99 iii Chapter 9. Removing AppScan Source from your system . . . . . . . . . 101 Removing from Microsoft Windows platforms . Removing from Linux platforms . . . . . . Removing from OS X platforms . . . . . . . 101 . 101 . 101 Chapter 10. Administering AppScan Source . . . . . . . . . . . . . . 103 User accounts and permissions . . . . . . . Creating AppScan Source users . . . . . . . AppScan Enterprise Server authentication: Migration considerations for replacement of the IBM Rational Jazz user authentication component with IBM WebSphere Liberty . . . Configuring automatic login of AppScan Enterprise Server users . . . . . . . . . Creating local product administrator users in AppScan Enterprise Server Liberty . . . . . Creating a user account for the Automation Server . . . . . . . . . . . . . . . 103 104 105 105 106 108 Chapter 12. Logging in to AppScan Enterprise Server from AppScan Source products . . . . . . . . . . 113 iv . . Chapter 13. LDAP integration . . . 114 . . . . 115 Chapter 14. Registering applications and projects for publishing to AppScan Source . . . . . . . . . . 117 Chapter 15. AppScan Source application and project files . . . . . 119 Chapter 16. Port configuration . . . . 123 Chapter 11. Auditing user activity . . . 111 Changing AppScan Source user passwords AppScan Enterprise Server SSL certificates. Default open ports . . . . . Port forwarding configuration . . Changing the IBM solidDB port . . . . . . . . . . . . . . . . . 123 . 123 . 123 Chapter 17. Changing IBM solidDB user passwords after installation . . . 125 Notices . . . . . . . . . . . . . . 135 Index . . . . . . . . . . . . . . . 139 . 113 IBM Security AppScan Source: Installation and Administration Guide Chapter 1. Introduction to IBM Security AppScan Source IBM® Security AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop. The product set includes: v AppScan Source for Analysis: Workbench to configure applications and projects, scan code, analyze, triage, and take action on priority vulnerabilities. v AppScan Source for Automation: Allows you to automate key aspects of the AppScan Source workflow and integrate security with build environments during the software development life cycle. v AppScan Source for Development: Developer plug-ins integrate many AppScan Source for Analysis features into Microsoft Visual Studio, the Eclipse workbench, and Rational® Application Developer for WebSphere® Software (RAD). This allows software developers to find and take action on vulnerabilities during the development process. The Eclipse plug-in allows you to scan source code for security vulnerabilities - and you can scan IBM Worklight® projects with the Eclipse plug-in. To enhance the value of AppScan Source within your organization, the products include these components: v AppScan Source Security Knowledgebase: In-context intelligence on each vulnerability, offering precise descriptions about the root cause, severity of risk, and actionable remediation advice. v AppScan Enterprise Server: Most AppScan Source products and components must communicate with an AppScan Enterprise Server. Without one, you can use AppScan Source for Development in local mode - but features such as custom rules, shared scan configurations, and shared filters will be unavailable. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. The server includes an optional Enterprise Console component. If your administrator installs this component, you can publish assessments to it from AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface (CLI). The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards. Note: – AppScan Enterprise Server is not supported on OS X. – If you have a basic server license, the server may only be accessed by up to ten (10) concurrent connections from AppScan products. With a premium server license, unlimited connections are allowed. Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either solidDB® or Oracle). © Copyright IBM Corp. 2003, 2014 1 This Software Offering does not use cookies or other technologies to collect personally identifiable information. Translated national languages The AppScan Source user interfaces are available in these languages: v English v Brazilian Portuguese v Simplified Chinese v Traditional Chinese v v v v v v German Spanish French Italian Japanese Korean v Russian What's New in AppScan Source This topic describes new features that have been added to AppScan Source. v “New integration solution support” v “Support for importing Xcode workspaces” v “Autodiscovery and configuration of applications built on popular application server technology” on page 3 v “Integration with IBM Business Partner Arxan” on page 3 v “AppScan Enterprise Server authentication: Replacement of IBM Rational Jazz user authentication component with IBM WebSphere Liberty” on page 3 v “DISA Application Security and Development STIG V3R8 report support” on page 3 v “Support for IBM Worklight web applications” on page 3 v “Enhanced scanning support” on page 3 v “Russian national language support” on page 3 v “Capabilities and features that are no longer supported in AppScan Source Version 9.0.1” on page 3 New integration solution support As of AppScan Source Version 9.0.1: v Rational Application Developer for WebSphere Software (RAD) Version 9.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 9.1. v Xcode 6.0 for Objective-C (for iOS applications only) is now a supported compiler on OS X. Support for importing Xcode workspaces On OS X, you can now import and scan entire Xcode workspaces consisting of multiple projects. 2 IBM Security AppScan Source: Installation and Administration Guide Autodiscovery and configuration of applications built on popular application server technology If you have existing Java™ applications that have been deployed to a supported Apache Tomcat or WebSphere Application Server Liberty server, you can now automatically import them to AppScan Source. If you have Java applications that have been deployed to an unsupported application server, you can extend the application server import framework to add your application server and then import the applications. Integration with IBM Business Partner Arxan This includes support for Arxan-specific integrity rules, new Arxan specific vulnerability and project types, as well as Arxan remediation assistance. AppScan Enterprise Server authentication: Replacement of IBM Rational Jazz™ user authentication component with IBM WebSphere Liberty AppScan Enterprise Server now utilizes IBM WebSphere Liberty for user authentication. If you are upgrading from a previous version of AppScan Source, users that were set up with Jazz authentication will not be functional and must be recreated. DISA Application Security and Development STIG V3R8 report support AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R8 report. Support for IBM Worklight web applications You can now scan mobile and desktop web applications that are developed in IBM Worklight. Enhanced scanning support Enhanced accuracy for JavaScript analysis: v Pattern-based static analysis results for JavaScript are now included. v Preliminary support for Backbone.js and Require.js. v Various bug fixes. Russian national language support As of AppScan Source Version 9.0.1, the product user interface and select documentation can be displayed in Russian. Capabilities and features that are no longer supported in AppScan Source Version 9.0.1 As of AppScan Source Version 9.0.1: v OS X Version 10.7 is no longer a supported operating system. v Xcode versions 4.5 and 4.6 are no longer supported. Scanning Objective-C in projects from these versions of Xcode is no longer supported. Chapter 1. Introduction to IBM Security AppScan Source 3 v Visual Studio 2008 project files are no longer supported - and the AppScan Source for Development (Visual Studio plug-in) can no longer be applied to Visual Studio 2008. v As of AppScan Source Version 9.0, the Java and C++ code quality analysis features were deprecated. These features are no longer supported in Version 9.0.1. Migrating to the current version of AppScan Source This topic contains migration information for changes that have gone into this version of AppScan Source. If you are upgrading from an older version of AppScan Source, be sure to note the changes for the version of AppScan Source that you are upgrading and all versions leading up to this current version. v “Migrating from Version 9.0” v “Migrating from Version 8.7” Migrating from Version 9.0 AppScan Enterprise Server authentication: Migration considerations for replacement of the IBM Rational Jazz user authentication component with IBM WebSphere Liberty v Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan Source Database as AppScan Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan Source users if you follow the instructions in http://www.ibm.com/ support/docview.wss?uid=swg21686347 for enabling that conversion. v Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan Source. v Migrating from an Enterprise Server that was configured with Windows authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan Source, provided the new Enterprise Server Liberty is configured to use Windows authentication. Migrating from Version 8.7 v “Changes to findings classifications” v “Default settings changes that will improve scan coverage” on page 5 v “Restoring AppScan Source predefined filters from previous versions” on page 6 Changes to findings classifications After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications: Table 1. Findings classification changes 4 Findings classifications prior to AppScan Source Version 8.8 Classifications as of AppScan Source Version 8.8 Vulnerability Definitive security finding Type I Exception Suspect security finding Type II Exception Scan coverage finding IBM Security AppScan Source: Installation and Administration Guide An example of these changes can be seen in the Vulnerability Matrix view. As of Version 8.8, the view looks like this: Default settings changes that will improve scan coverage As of AppScan Source Version 8.8: v The default value of show_informational_findings in scan.ozsettings has changed from true to false. v The default value of wafl_globals_tracking in ipva.ozsettings has changed from false to true. This setting enables AppScan Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view). The change to show_informational_findings will result in assessments not including findings with a severity level of Info by default. Chapter 1. Introduction to IBM Security AppScan Source 5 Note: If you have scan configurations that were created prior to Version 8.8 that did not explicitly set values for these settings, the scan configurations will now use their new default values. Restoring AppScan Source predefined filters from previous versions In AppScan Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan Source (archived filters are listed in Chapter 18, “AppScan Source predefined filters (Version 8.7.x and earlier),” on page 127), follow the instructions in Chapter 19, “Restoring archived predefined filters,” on page 129. Important concepts Before you begin to use or administer AppScan Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis. AppScan Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application. Applications, their attributes, and projects are created and organized in AppScan Source for Analysis: v Applications: An application contains one or more projects and their related attributes. v Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application. v Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan Source for Analysis. The principal activity of AppScan Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including: v Severity: High, medium, or low, indicating the level of risk v Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow v File: Code file in which the finding exists v API/Source: The vulnerable call, showing the API and the arguments passed to it v Method: Function or method from which the vulnerable call is made v Location: Line and column number in the code file that contains the vulnerable API v Classification: Security finding or scan coverage finding. For more information, see “Classifications” on page 7. 6 IBM Security AppScan Source: Installation and Administration Guide Classifications Findings are classified by AppScan Source to indicate whether they are security or scan coverage findings. Security findings represent actual or likely security vulnerabilities - whereas scan coverage findings represent areas where configuration could be improved to provide better scan coverage. Each finding falls into one of these classifications: v Definitive security finding: A finding that contains a definitive design, implementation, or policy violation that presents an opportunity for an attacker to cause the application to operate in an unintended fashion. This attack could result in unauthorized access, theft, or corruption of data, systems, or resources. Every definitive security finding is fully articulated, and the specific underlying pattern of the vulnerable condition is known and described. v Suspect security finding: A finding that indicates a suspicious and potentially vulnerable condition that requires additional information or investigation. A code element or structure that can create a vulnerability when used incorrectly. A suspect finding differs from a definitive finding because there is some unknown condition that prevents a conclusive determination of vulnerability. Examples of this uncertainty can be the use of dynamic elements, or of library functions for which the source code is not available. As a result, there is an additional level of research that is required to confirm or reject a suspect finding as definitive. v Scan coverage finding: Findings that represent areas where configuration could be improved to provide better scan coverage (for example, lost sink findings). Note: In some cases, a classification of None may be used to denote a classification that is neither a security finding nor a scan coverage finding. Workflow After installation, deployment, and user management, the AppScan Source workflow consists of these basic steps. 1. Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality. 2. Configure applications: Organize applications and projects. 3. Scan: Run the analysis against the target application to identify vulnerabilities. 4. Triage and analyze results: Security-minded staff study results to prioritize remediation workflow and separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Isolate the issues you need to fix first. 5. Customize the Knowledgebase: Customize the AppScan Source Security Knowledgebase to address internal policies. 6. Publish scan results: Add scan results to the AppScan Source Database or publish them to the AppScan Enterprise Console. 7. Assign remediation tasks: Assign defects to the development team to resolve vulnerabilities. 8. Resolve issues: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions. 9. Verify fixes: The code is scanned again to assure that vulnerabilities are eliminated. Chapter 1. Introduction to IBM Security AppScan Source 7 C onfigure AppScan Source for Analysis S c an AppScan Source for Analysis AppScan Source for Automation AppScan Source for Development Monitor Enterprise Console Triage AppScan Source for Analysis AppScan Enterprise Server R emediate AppScan Source for Analysis AppScan Source for Remediation AppScan Source for Development A s s ign AppScan Source for Analysis AppScan Source deployment models This section describes three different deployment models and the components that comprise each model. The AppScan Source products (coupled with the AppScan Enterprise Server) support several deployment options to meet varied organizational requirements. Client and server components comprise the product solution, and each component serves a specific purpose. Some deployment models require all components while others need only a few. Furthermore, some information technology policies require deployment of certain server components on separate computers versus all components on one computer. This section describes three different deployment models: v “Standard desktop deployment” on page 9 v “Small workgroup deployment” on page 10 v “Enterprise workgroup deployment” on page 12 The deployment that best fits your needs could be a combination of models. This table provides a brief description of each deployed AppScan Source product or component. 8 Component Description AppScan Source for Analysis A workbench to analyze, isolate, and take action on priority vulnerabilities. Provides security analysts, QA managers, and development managers with fast time-to-results. AppScan Source for Analysis must communicate with the AppScan Enterprise Server. IBM Security AppScan Source: Installation and Administration Guide Component Description AppScan Source for Development IDE-integrated components focused on remediation of vulnerabilities at the line of code level. AppScan Source for Development only communicates with the AppScan Enterprise Server when scanning source code. AppScan Source Database An out-of-the-box database that persists the AppScan Source Security Knowledgebase data, assessment data, and application/project inventory. Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either solidDB or Oracle). AppScan Source for Automation Automate key aspects of the AppScan Source workflow and integrate scans with build environments during the software development life cycle (SDLC). The Automation Server processes requests to scan and publish assessments and generate reports. It runs as a service/daemon and must communicate with the AppScan Enterprise Server. AppScan Source command line interface (CLI) client Provides command line access to various AppScan Source functions to enable integration, automation, and scripting, in addition to the functions provided by AppScan Source for Automation. The CLI must communicate with the AppScan Enterprise Server. Each of the components in the table must communicate with an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. In addition, if your administrator has installed the Enterprise Console component of the AppScan Enterprise Server, you can publish assessments to it. The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards. Standard desktop deployment The standard desktop deployment is for a single AppScan Source user in a small organization or a security analyst/auditor who performs security assessments, both onsite and offsite. It assumes no defect tracking system integration or build integration (through use of AppScan Source for Automation). This deployment model consists of two AppScan Source components, AppScan Source for Analysis (client) and the AppScan Enterprise Server, installed on one computer, such as a notebook. The desktop deployment model focuses on scan results and individual productivity and convenience rather than the ability to deploy AppScan Source across numerous computers and optimization around a team effort. Chapter 1. Introduction to IBM Security AppScan Source 9 With this model, a user authenticates to the AppScan Enterprise Server using the AppScan Source administrative account, and no LDAP Directory Server integration is expected. This model assumes that a source control management client on the computer provides access to source code, or the source code resides on the computer. The standard desktop deployment is ideal for a mobile auditor. For example, the auditor might work onsite and then want to finish some work at home or while traveling. If the auditor logs in to the notebook running AppScan Source for Analysis and the AppScan Enterprise Server while offsite, there is access to the source code and the saved assessments. Later, when the auditor returns to work onsite, reconnecting to the source control system allows for the return of the corrected source to the corporate repository. This model allows for the generation of leave-behind reports with all of the assessment result details. The following diagram depicts a standard desktop deployment with client and server components on the same computer. S ourc e C ontrol Manager client AppScan Source for Analysis AppScan Source for Development AppScan Source Command Line Client Browser S erver Enterprise Console AppScan Enterprise Server Database server AppScan Source database Small workgroup deployment The small workgroup deployment best fits a small to moderate size team that does not have many IT Compliance Guidelines related to application deployment. With this model, AppScan Source server components reside on a dedicated computer, likely on the same subnet as computers running the AppScan Source 10 IBM Security AppScan Source: Installation and Administration Guide client components. The expectation is that a local AppScan Source administrator manages AppScan Source user accounts and that no integration exists with a corporate LDAP Directory Server. In addition, the assumption is that a source control management client on the computer provides access to source code or a copy of the source also exists on the computer. This model enables team collaboration with a minimal amount of deployment overhead and administration. It is important to understand that this deployment model includes: v Security analysts and developers connect to the AppScan Enterprise Server v Auditors/managers connect to the Enterprise Console component of AppScan Enterprise Server through a web browser v AppScan Source server components run on a dedicated computer with access to source code An installation for a small workgroup deployment consists of the client and server components that are necessary to run AppScan Source components on multiple computers on a network. Server Components v AppScan Source Database v AppScan Source for Automation Client Components v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) v Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio 2010 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2010 on your system) v Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) The following diagram depicts a small workgroup deployment of the AppScan Source components. Chapter 1. Introduction to IBM Security AppScan Source 11 Enterprise workgroup deployment The enterprise workgroup deployment is for medium to large teams in large organizations where enterprise considerations are required. This deployment works well if your organization must: v Comply with IT Governance and Compliance Guidelines such as clustering and load balancing web applications v Maximize corporate resources, such as having the database in a data center with automatic backups v Run components within certain firewalls, requiring some form of port-forwarding This deployment model expects that there is a corporate LDAP Directory Server and that authentication to use AppScan Source requires validation of credentials through the directory server. It also assumes that access to source code is available through a source control management client on the computer or the source resides on the computer, and that a defect tracking system integration is in place. Typically, the organization automates application scans by integrating with the build process, thus requiring the deployment of AppScan Source for Automation. In this model, it is also possible that the enterprise has standardized on a database server, such as Oracle. A common enterprise workgroup deployment would have these characteristics: v Security analysts and developers connect to the AppScan Enterprise Server v Auditors connect to the Enterprise Console component of AppScan Enterprise Server through a web browser 12 IBM Security AppScan Source: Installation and Administration Guide v AppScan Source server components run on different computers due to IT Governance and Compliance Guidelines – The Enterprise Console is on a central web application server cluster that is load balanced, and the Automation Server runs on one or more build servers – Data Center contains a Oracle Database Server v Automation Server is deployed on the build systems v AppScan Enterprise Server communicates with the LDAP Directory Server for user authentication v AppScan Enterprise Server and AppScan Source clients connect to the AppScan Source Database hosted in a Data Center (and possibly requires a specific database such as Oracle) v Source control clients provide access to source code on all appropriate computers v AppScan Source for Analysis integrates with defect tracking system clients on the same computer The following diagram depicts the deployment of the AppScan Source components in an Enterprise Workgroup environment. S ec urity A nalys t AppScan Source for Analysis Developer Manager A dminis trator AppScan Source for Development Source control client Source control client Defect tracking system client Defect tracking system client AppScan Source for Analysis B rows er Source control client A ppS c an S ourc e server Source control server Enterprise Console AppScan Enterprise Server Defect tracking system server Data C enter Oracle database server Build server Active directory server Source control client Automation server AppScan Source database AppScan Source database Chapter 1. Introduction to IBM Security AppScan Source 13 United States government regulation compliance Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that IBM is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan Source supports. v “Internet Protocol Version 6 (IPv6)” v “Federal Information Processing Standard (FIPS)” v “National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a” v “Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB)” on page 15 Internet Protocol Version 6 (IPv6) AppScan Source is enabled for IPv6, with these exceptions: v Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported. v IPv6 is not supported when connecting to Rational Team Concert™. Federal Information Processing Standard (FIPS) On Windows and Linux platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms. On OS X platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS 140-2 mode. To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS 140-2 mode, see these technotes: v Operating AppScan Source version 8.7 or later in FIPS 140-2 mode on OS X v How to enable/disable/verify FIPS 140-2 mode in AppScan Source (Linux and Windows) v Background information about AppScan Source version 8.7 or later FIPS 140-2 support National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include: v Key management procedures. v How to use cryptographic algorithms. v Algorithms to use and their minimum strengths. v Key lengths for secure communications. Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements. 14 IBM Security AppScan Source: Installation and Administration Guide NIST SP 800-131A is supported only when AppScan Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2 mode, see “Federal Information Processing Standard (FIPS)” on page 14. Important: If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail. v If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying \config\ounce.ozsettings (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55)). In this file, locate this setting: In the setting, change value="0" to value="2" and then save the file. v If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the IBM Security AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server. Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB) AppScan Source supports scanning applications on Windows 7 machines that are configured with the USGCB specification. Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational ClearQuest®. AppScan Source and accessibility Accessibility affects users with physical disabilities, such as restricted mobility or limited vision. Accessibility issues can impede the ability to use software products successfully. This topic outlines known AppScan Source accessibility issues and their workarounds. Using JAWS Screen Reading Software with the AppScan Source installer To use Freedom Scientific JAWS (http://www.freedomscientific.com/products/fs/ jaws-product-page.asp) when running the AppScan Source installer, you must install Java Access Bridge in the AppScan Source JVM. This will allow JAWS to properly speak labels and controls in the installer panels. Chapter 1. Introduction to IBM Security AppScan Source 15 v Information about the Java Access Bridge (including the download link and installation instructions) can be found at http://www.oracle.com/technetwork/ java/javase/tech/index-jsp-136191.html. v Information about the InstallAnywhere requirement for installing the Java Access Bridge can be found at http://kb.flexerasoftware.com/selfservice/ documentLink.do?externalID=Q200311. Using JAWS Screen Reading Software in user interface panels with descriptive text Many parts of the AppScan Source user interface contain descriptive text. In most cases, you must use the JAWS Insert+B keystroke to be able to read this descriptive text. 16 IBM Security AppScan Source: Installation and Administration Guide Chapter 2. System requirements and installation prerequisites To run AppScan Source components, your computers must meet the minimum requirements outlined (per product) in http://www.ibm.com/support/ docview.wss?uid=swg27027486. To learn about AppScan Source language support, see “AppScan Source language and framework support.” Important: When installing on Linux 64-bit systems, some 32-bit libraries must be installed before you can successfully install AppScan Source. These libraries are listed in the Notes for 64-bit Linux entries at http://www.ibm.com/support/ docview.wss?uid=swg27027486. If these libraries are not present, you will be prompted with a message when you attempt to install AppScan Source. AppScan Source language and framework support This topic lists the languages that can be scanned in AppScan Source. v “Language Support on Windows” v “Language Support on Linux” on page 18 v “Language Support on OS X” on page 19 v “Framework for Frameworks handling APIs: built-in framework support” on page 20 Language Support on Windows IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI) support scanning these languages: v C/C++ v COBOL v ColdFusion v Java (including support for Android APIs) JavaServer Pages (JSP) JavaScript Perl PHP (Versions 4.x and 5.x) PL/SQL T-SQL .NET (C#, ASP.NET, VB.NET) - Microsoft .NET Framework Versions 2.0, 3.0, 3.5, 4.0, and 4.5 v ASP (JavaScript/VBScript) v Visual Basic 6 v v v v v v v Note: v For PHP, Visual Basic 6, and Classic ASP, only ISO-8859-1 (Western Europe), UTF-8, and UTF-16 character sets are supported. © Copyright IBM Corp. 2003, 2014 17 v You may encounter informational parsing error messages when scanning PHP version 5.3 and higher. These errors display in the Console view. For example, 07/31/14 14:11:27 - Parsing error at C:\TestApps\php-5.5-Example\test.php(11,11) due to: found/expected identifier/& ( + - :: ; || && or and xor | ^ . * / % << >> === !== == != < <= > >= instanceof ? This message is indicating that there is a new keyword or syntax in the PHP code that the AppScan Source parser does not recognize. This will only occur if you are using language keywords or syntax that are only available in PHP version 5.3 or higher. Parsing errors such as this can result in missed findings in the code, if the parser cannot reset and continue parsing the code scope. Example: The finally keyword was added in PHP version 5.5. This keyword is used in try-catch-finally blocks. If the finally block is used, the parser will generate an error similar to the one displayed above. AppScan Source will attempt to handle the error and continue parsing. If parsing cannot continue, the parser will stop parsing the method in which the error was encountered - and that entire method will not be available for analysis. The AppScan Source for Development Visual Studio plug-in supports scanning C/C++ and .NET (C#, ASP.NET, VB.NET). The AppScan Source for Development Eclipse Plug-in (which can be applied to Eclipse or IBM Rational Application Developer for WebSphere Software (RAD)) supports scanning Java (including support for Android APIs), JavaServer Pages (JSP), and IBM Worklight projects. v Worklight project scan support includes: Native client-side Android and iOS source code, in addition to most user-written JavaScript client-side code. Worklight web applications can also be scanned. v Worklight project scan support does not include: Server-side JavaScript code such as Worklight Adapter code. Language Support on Linux IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI) support scanning these languages: v C/C++ v COBOL v ColdFusion v Java (including support for Android APIs) v JavaServer Pages (JSP) v v v v v JavaScript Perl PHP (Versions 4.x and 5.x) PL/SQL T-SQL Note: For PHP: v Only ISO-8859-1 (Western Europe), UTF-8, and UTF-16 character sets are supported. v You may encounter informational parsing error messages when scanning PHP version 5.3 and higher. These errors display in the Console view. For example, 18 IBM Security AppScan Source: Installation and Administration Guide 07/31/14 14:11:27 - Parsing error at C:\TestApps\php-5.5-Example\test.php(11,11) due to: found/expected identifier/& ( + - :: ; || && or and xor | ^ . * / % << >> === !== == != < <= > >= instanceof ? This message is indicating that there is a new keyword or syntax in the PHP code that the AppScan Source parser does not recognize. This will only occur if you are using language keywords or syntax that are only available in PHP version 5.3 or higher. Parsing errors such as this can result in missed findings in the code, if the parser cannot reset and continue parsing the code scope. Example: The finally keyword was added in PHP version 5.5. This keyword is used in try-catch-finally blocks. If the finally block is used, the parser will generate an error similar to the one displayed above. AppScan Source will attempt to handle the error and continue parsing. If parsing cannot continue, the parser will stop parsing the method in which the error was encountered - and that entire method will not be available for analysis. The AppScan Source for Development Eclipse Plug-in (which can be applied to Eclipse or IBM Rational Application Developer for WebSphere Software (RAD)) supports scanning Java (including support for Android APIs), JavaServer Pages (JSP), and IBM Worklight projects. v Worklight project scan support includes: Native client-side Android and iOS source code, in addition to most user-written JavaScript client-side code. Worklight web applications can also be scanned. v Worklight project scan support does not include: Server-side JavaScript code such as Worklight Adapter code. Language Support on OS X IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI) support scanning these languages: v Objective-C in Xcode projects and workspaces v Java (including support for Android APIs) v JavaServer Pages (JSP) v JavaScript The AppScan Source for Development Eclipse Plug-in (which can be applied to Eclipse or IBM Rational Application Developer for WebSphere Software (RAD)) supports scanning Java (including support for Android APIs), JavaServer Pages (JSP), Objective-C in Xcode projects, and IBM Worklight projects. v Worklight project scan support includes: Native client-side Android and iOS source code, in addition to most user-written JavaScript client-side code. Worklight web applications can also be scanned. v Worklight project scan support does not include: Server-side JavaScript code such as Worklight Adapter code. Note: If you are using CocoaPods to create your Xcode projects, you must install its xcproj tool in order for AppScan Source to be able to read the generated Xcode project format. See https://github.com/CocoaPods/CocoaPods/wiki/GenerateASCII-format-xcodeproj for information about installing this tool. Chapter 2. System requirements and installation prerequisites 19 Framework for Frameworks handling APIs: built-in framework support AppScan Source includes built-in support for these frameworks: v Apache Struts 1 and 2 v Spring MVC 2.5 and 3 v ASP .NET MVC (Windows only) v Enterprise JavaBeans (EJB) 2 v v v v v v ASP .NET (Windows only) J2EE JavaServer Faces (JSF) 2 .NET 4.5 (Windows only) Jax - RS (V1.0 and V1.1) Jax - WS (V2.2) AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux On Linux, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan Source for Analysis and the AppScan Source for Development Eclipse plug-in may exhibit symptoms such as a hang after login or a fail during product use. Information about this prerequisite is available at http://www.eclipse.org/swt/ faq.php#browserwebkitgtk. v “Enabling browser-based content on Linux for AppScan Source for Analysis” v “Enabling browser-based content on Linux for AppScan Source for Development installed to Eclipse Version 3.7 or later” on page 21 v “Enabling browser-based content on Linux for AppScan Source for Development installed to Eclipse Version 3.6 or earlier” on page 21 Enabling browser-based content on Linux for AppScan Source for Analysis AppScan Source for Analysis is built on Eclipse and is, therefore, affected by this issue. The recommended approach for correcting this is to ensure that a 32-bit or i686 version of WebKitGTK 1.2.0 or later is installed. You should consult with your system administrator for the proper way to get packages installed, but on some systems this may be as simple as issuing yum install webkitgtk.i686. If you are unable to install WebKitGTK, you can choose to install a 32-bit version of Mozilla XULRunner 1.8. With this option, you may also need to make these updates to your environment variables: v Set MOZILLA_FIVE_HOME to the XULRunner installation location. v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME 20 IBM Security AppScan Source: Installation and Administration Guide Enabling browser-based content on Linux for AppScan Source for Development installed to Eclipse Version 3.7 or later The recommended approach for correcting this is to ensure that a 32-bit or i686 version of WebKitGTK 1.2.0 or later is installed. You should consult with your system administrator for the proper way to get packages installed, but on some systems this may be as simple as issuing yum install webkitgtk.i686. If you are unable to install WebKitGTK, you can choose to install a 32-bit version of Mozilla XULRunner 1.8. With this option, you may also need to make these updates to your environment variables: v Set MOZILLA_FIVE_HOME to the XULRunner installation location. v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME Enabling browser-based content on Linux for AppScan Source for Development installed to Eclipse Version 3.6 or earlier Ensure that you have a 32-bit version of Mozilla XULRunner Version 1.8 installed (Version 1.8.0.4 works in most environments - see https://developer.mozilla.org/ en-US/docs/XULRunner_1.8.0.4_Release_Notes). After installing XULRunner, you may also need to make these updates to your environment variables: v Set MOZILLA_FIVE_HOME to the XULRunner installation location. v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME Chapter 2. System requirements and installation prerequisites 21 22 IBM Security AppScan Source: Installation and Administration Guide Chapter 3. Sample installation scenarios When installing AppScan Source, it is important that the correct installation workflow be followed. These topics guide you through the workflow involved in some sample installation scenarios. Important: v Before installing any component required for AppScan Source, consult the component's system requirements to ensure it supports your operating system. v These scenarios do not apply to OS X. To learn how to install AppScan Source on OS X, see “Installing AppScan Source on OS X” on page 71. AppScan Source consists of key components, listed here in the order in which they should be installed: v Rational License Server: This is required for AppScan Enterprise Server license application. It is also used for applying AppScan Source floating licenses (but not for applying AppScan Source local license files). v AppScan Enterprise Server: All AppScan Source products and components must communicate with an AppScan Enterprise Server. Once installed, you specify the Rational License Server to which you have imported the AppScan Enterprise Server license. v AppScan Source product images: This includes AppScan Source for Analysis, AppScan Source for Automation, AppScan Source for Development, and AppScan Source for Remediation. Once installed, you specify the AppScan Enterprise Server that the AppScan Source Database will connect to. In addition, if you will make use of a floating license for AppScan Source, you specify the Rational License Server to which you have imported the AppScan Source license. The instructions in these scenarios assume that: v All components are being installed on Microsoft Windows. For some instructions, basic Linux settings and information are provided - however, main scenario workflow is described only for Windows. v You have administrative privileges on the machine or machines on which you are installing AppScan Source components. v You are only installing the user management features of the AppScan Enterprise Server. v That you will use IBM solidDB as your AppScan Source Database. v A floating license will be used for activating the AppScan Enterprise Server and local license files will be used for activating AppScan Source components. v “Installing all required components on one machine” on page 24 v “Installing AppScan Source components in a multi-machine environment” on page 30 v “Installing AppScan Source and integrating it with an existing AppScan Enterprise Server” on page 39 v “Migrating Rational AppScan Source Edition Version 8.0.x or earlier to Version 8.6.x” on page 44 © Copyright IBM Corp. 2003, 2014 23 Installing all required components on one machine In this scenario, all components are installed on one machine. When configuring component connections, localhost settings are applied. About this task This scenario is divided into four sections: v “Installing IBM Rational License Server” v “Installing IBM Security AppScan Enterprise Server” on page 25 v “Installing AppScan Source” on page 26 v “Logging into AppScan Source” on page 30 Important: v Before installing any component required for AppScan Source, consult the component's system requirements to ensure it supports your operating system. v These scenarios do not apply to OS X. To learn how to install AppScan Source on OS X, see “Installing AppScan Source on OS X” on page 71. Installing IBM Rational License Server The Rational License Server is used for hosting your AppScan Enterprise Server license. It can also be used for hosting AppScan Source floating licenses, however, this is not covered in these instructions. About this task If you already have a supported version of Rational License Server installed, you can skip the portion of these instructions that cover Rational License Server installation - and proceed to the portion of the instructions that covers launching License Key Administrator and importing your license. Supported Rational License Server versions are outlined in the AppScan Enterprise Server system requirements (http://www.ibm.com/support/docview.wss?uid=swg27027541) and the AppScan Source system requirements (http://www.ibm.com/support/ docview.wss?uid=swg27027486). Procedure 1. Locate the Rational License Key Server image (on your AppScan Source product DVDs or that you downloaded as part of the AppScan Source eAssembly at IBM Passport Advantage®). 2. Extract the image to a local drive and, in the resulting directory, locate and run RLKSSERVER_SETUP\disk1\launchpad.exe. 3. In the Rational License Server installer, click Install or Update IBM Rational License Key Server. 4. If IBM Installation Manager is not already installed on your system, it will launch for installation purposes. a. On the first page of the Install Packages wizard, ensure that the IBM Installation Manager check box, and check boxes for all entries beneath it, are selected. Click Next. b. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. c. In the Location page, specify the installation directory and then click Next. 24 IBM Security AppScan Source: Installation and Administration Guide d. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. e. When the installation is complete, click Restart Installation Manager. This will launch Installation Manager and allow you to install On the first page of the Install Packages wizard, ensure that the IBM Rational License Key Server check box, and check boxes for all entries beneath it, are selected. Click Next. In the Prerequisites page, you are instructed to close all applications and disable anti-virus software. Complete these precautionary tasks and then click Next. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. In the Location page, specify the installation directory and then click Next. Complete the Package Group page according to your needs (for example, if you are using Installation Manager for the first time and have no existing package group, leave the default settings as-is). Click Next. In the Translation Selection page, select the national languages that you want to install. Click Next. On the Features page, ensure that all features are selected and then click Next. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. When the installation is complete, click Finish and close IBM Installation Manager. Launch the IBM Rational License Key Administrator from the Windows Start menu (in the Programs menu, launch IBM Rational > License Key Administrator). When the IBM Rational License Key Administrator starts, you are prompted with the License Key Administrator Wizard (if the wizard does not open automatically, select License Keys > License Key Wizard from the main menu). In this wizard, select Import a Rational License File and then click Next. 16. In the Import a License File panel, click Browse and then navigate to your AppScan Enterprise Server license file. Open the file with the browse dialog box and then click Import. 17. After confirming the license or licenses that will be imported, the Restart License Server dialog box will open. Click Yes to restart the license server. If the License Server service fails to start, open the Windows Services administrative tool. In the tool, locate FLEXlm License Manager and start it. Installing IBM Security AppScan Enterprise Server To learn how to install the Enterprise Server, refer to the AppScan Enterprise Planning & Installation Guide or to the interactive installation guide at IBM Knowledge Center. About this task The AppScan Enterprise Planning & Installation Guide accompanies the IBM Security AppScan Enterprise Server installation images. The interactive installation guide can be found at http://www.ibm.com/support/knowledgecenter/SSW2NF/ Chapter 3. Sample installation scenarios 25 welcome (for example, the Version 9.0.1 interactive installation guide is available at http://www.ibm.com/support/knowledgecenter/SSW2NF_9.0.1/ com.ibm.ase.help.doc/topics/roadmap_ase_install.html). What to do next If AppScan Source was installed prior to installing the Enterprise Server, you will need to register the Database with the Enterprise Server. A utility for doing this is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the AppScan Source Installation and Administration Guide. If you need to uninstall the Enterprise Server, you must delete its installation directory before installing it again. Installing AppScan Source Procedure 1. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 3. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 4. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 5. In the Component Selection installation panel, select the components to install. AppScan Source components are divided into server and client components: a. To install AppScan Source server components, select Server Component Selection and then choose the components to install: v AppScan Source Database v AppScan Source for Automation b. To install AppScan Source client components, select Client Component Selection and then choose the components to install: v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) v Windows only: AppScan Source for Development for Visual Studio (not selected by default)(this option is only available if the installer detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio (not selected by default)(this option is only available if the installer detected Microsoft Visual Studio 2010 on your system) 26 IBM Security AppScan Source: Installation and Administration Guide 2008 has 2010 has v Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) By default, when Client Component Selection is selected, the AppScan Source for Development plug-in components are deselected and all other components are selected. After you have selected the components that you want to install, click Next to advance to the next installation panel. 6. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. Chapter 3. Sample installation scenarios 27 7. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 8. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page, the database selection panel displays. In this page, select one of: v Install solidDB v Install database into existing Oracle 11g Server For additional information about installing solidDB - or to an existing Oracle database - refer to the “Installing the database and configuring connections to AppScan Enterprise Server” on page 59 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 9. If you choose to install a solidDB database in the Database selection panel, you are prompted with the Configure IBM solidDB Admin User panel. In it, configure the solidDB database administrator account. The default database administrator user name and password are both dba. You cannot change this user name, however, the password can be changed. Note: To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next advance to the next installation panel. 10. The Configure IBM solidDB AppScan Source User panel allows you to configure the solidDB AppScan Source database user account. You can retain the default user name, ounce, and default password, ounce. All components that read from or write to the AppScan Source Database use this account. Note: v If you change the user names and passwords, you must keep a record of the new configuration in case your IBM support representative requires access to your AppScan Source Database. 28 IBM Security AppScan Source: Installation and Administration Guide v To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next to advance to the next installation panel. 11. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 12. Review and accept the terms of the license agreement and then click Next to continue. 13. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 14. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings and that the server has been configured for Jazz Team Server authentication. v If the server is configured for Windows authentication, select the Configure the AppScan Enterprise Server now check box and then enter the Windows credentials that were used when your account was added to the server (the user ID must be in the format \). v If the server is configured for Jazz Team Server authentication, for this installation scenario, the default settings should be correct - with the exception of the server administrative Password. If you changed the default password during the AppScan Enterprise Server installation, select the Configure the AppScan Enterprise Server now check box and then enter the password in the Password field. Note: The entry in the Database Host Name field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Chapter 3. Sample installation scenarios 29 Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 15. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 16. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Logging into AppScan Source About this task Refer to the section below for a description of the fields requested when you log in. For detailed information, see the Chapter 12, “Logging in to AppScan Enterprise Server from AppScan Source products,” on page 113 topic in the IBM Security AppScan Source Installation and Administration Guide. Procedure v User ID: Specify your user ID. v Password: Specify the password for your user ID. v AppScan Enterprise Server: Specify the hostname for your AppScan Enterprise Server instance in the existing URL format. For this installation scenario, specify https://localhost:9443/ase/ or localhost. Installing AppScan Source components in a multi-machine environment AppScan Source components can be installed on multiple machines. In this scenario, components are deployed in a multi-machine environment. Rational License Server, AppScan Enterprise Server, AppScan Source client products, and the AppScan Source Database are all installed on different machines. About this task This scenario is divided into five sections: v “Installing IBM Rational License Server on Machine A” on page 31 v “Installing IBM Security AppScan Enterprise Server on Machine B” on page 32 v “Installing AppScan Source client products on Machine C” on page 33 v “Installing the AppScan Source Database on Machine D” on page 35 v “Logging into AppScan Source” on page 38 30 IBM Security AppScan Source: Installation and Administration Guide Important: v Before installing any component required for AppScan Source, consult the component's system requirements to ensure it supports your operating system. v These scenarios do not apply to OS X. To learn how to install AppScan Source on OS X, see “Installing AppScan Source on OS X” on page 71. Installing IBM Rational License Server on Machine A The Rational License Server is used for hosting your AppScan Enterprise Server license. It can also be used for hosting AppScan Source floating licenses, however, this is not covered in these instructions. About this task If you already have a supported version of Rational License Server installed, you can skip the portion of these instructions that cover Rational License Server installation - and proceed to the portion of the instructions that covers launching License Key Administrator and importing your license. Supported Rational License Server versions are outlined in the AppScan Enterprise Server system requirements (http://www.ibm.com/support/docview.wss?uid=swg27027541) and the AppScan Source system requirements (http://www.ibm.com/support/ docview.wss?uid=swg27027486). Procedure 1. Locate the Rational License Key Server image (on your AppScan Source product DVDs or that you downloaded as part of the AppScan Source eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run RLKSSERVER_SETUP\disk1\launchpad.exe. 3. In the Rational License Server installer, click Install or Update IBM Rational License Key Server. 4. If IBM Installation Manager is not already installed on your system, it will launch for installation purposes. a. On the first page of the Install Packages wizard, ensure that the IBM Installation Manager check box, and check boxes for all entries beneath it, are selected. Click Next. b. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. c. In the Location page, specify the installation directory and then click Next. d. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. e. When the installation is complete, click Restart Installation Manager. This will launch Installation Manager and allow you to install 5. On the first page of the Install Packages wizard, ensure that the IBM Rational License Key Server check box, and check boxes for all entries beneath it, are selected. Click Next. 6. In the Prerequisites page, you are instructed to close all applications and disable anti-virus software. Complete these precautionary tasks and then click Next. Chapter 3. Sample installation scenarios 31 7. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. 8. In the Location page, specify the installation directory and then click Next. 9. Complete the Package Group page according to your needs (for example, if you are using Installation Manager for the first time and have no existing package group, leave the default settings as-is). Click Next. 10. In the Translation Selection page, select the national languages that you want to install. Click Next. 11. On the Features page, ensure that all features are selected and then click Next. 12. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. 13. When the installation is complete, click Finish and close IBM Installation Manager. 14. Launch the IBM Rational License Key Administrator from the Windows Start menu (in the Programs menu, launch IBM Rational > License Key Administrator). 15. When the IBM Rational License Key Administrator starts, you are prompted with the License Key Administrator Wizard (if the wizard does not open automatically, select License Keys > License Key Wizard from the main menu). In this wizard, select Import a Rational License File and then click Next. 16. In the Import a License File panel, click Browse and then navigate to your AppScan Enterprise Server license file. Open the file with the browse dialog box and then click Import. 17. After confirming the license or licenses that will be imported, the Restart License Server dialog box will open. Click Yes to restart the license server. If the License Server service fails to start, open the Windows Services administrative tool. In the tool, locate FLEXlm License Manager and start it. Installing IBM Security AppScan Enterprise Server on Machine B To learn how to install the Enterprise Server, refer to the AppScan Enterprise Planning & Installation Guide or to the interactive installation guide at IBM Knowledge Center. About this task The AppScan Enterprise Planning & Installation Guide accompanies the IBM Security AppScan Enterprise Server installation images. The interactive installation guide can be found at http://www.ibm.com/support/knowledgecenter/SSW2NF/ welcome (for example, the Version 9.0.1 interactive installation guide is available at http://www.ibm.com/support/knowledgecenter/SSW2NF_9.0.1/ com.ibm.ase.help.doc/topics/roadmap_ase_install.html). What to do next If AppScan Source was installed prior to installing the Enterprise Server, you will need to register the Database with the Enterprise Server. A utility for doing this is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the AppScan Source Installation and Administration Guide. 32 IBM Security AppScan Source: Installation and Administration Guide If you need to uninstall the Enterprise Server, you must delete its installation directory before installing it again. Installing AppScan Source client products on Machine C About this task Note that the order in which you install AppScan Source client products and the AppScan Source Database does not matter. The client products can be installed before you install the database - or vice-versa. Procedure 1. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 3. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 4. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 5. In the Component Selection installation panel, select Client Component Selection and then choose the components to install: v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) v Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio 2010 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2010 on your system) v Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) By default, when Client Component Selection is selected, the AppScan Source for Development plug-in components are deselected and all other components are selected. After you have selected the components that you want to install, click Next to advance to the next installation panel. 6. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource Chapter 3. Sample installation scenarios 33 v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 7. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 8. Review and accept the terms of the license agreement and then click Next to continue. 9. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 10. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 11. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. 34 IBM Security AppScan Source: Installation and Administration Guide b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Installing the AppScan Source Database on Machine D About this task Note that the order in which you install AppScan Source client products and the AppScan Source Database does not matter. The client products can be installed before you install the database - or vice-versa. Procedure 1. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 3. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 4. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 5. In the Component Selection installation panel, select Server Component Selection and then ensure that AppScan Source Database is selected. Click Next to advance to the next installation panel. 6. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. Chapter 3. Sample installation scenarios 35 v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. 7. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 8. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page, the database selection panel displays. In this page, select the Install solidDB radio button and then click Next to advance to the next installation panel. 36 IBM Security AppScan Source: Installation and Administration Guide 9. If you choose to install a solidDB database in the Database selection panel, you are prompted with the Configure IBM solidDB Admin User panel. In it, configure the solidDB database administrator account. The default database administrator user name and password are both dba. You cannot change this user name, however, the password can be changed. Note: To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next advance to the next installation panel. 10. The Configure IBM solidDB AppScan Source User panel allows you to configure the solidDB AppScan Source database user account. You can retain the default user name, ounce, and default password, ounce. All components that read from or write to the AppScan Source Database use this account. Note: v If you change the user names and passwords, you must keep a record of the new configuration in case your IBM support representative requires access to your AppScan Source Database. v To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next to advance to the next installation panel. 11. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 12. Review and accept the terms of the license agreement and then click Next to continue. 13. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. Chapter 3. Sample installation scenarios 37 14. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. Select the Configure the AppScan Enterprise Server now check box and complete these settings: v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance (for example, https://MachineB.mydomain.com:9443/ase). v User ID: Specify your AppScan Enterprise Server user ID. By default, the user ID is ADMIN, which is the default if the server is configured for Jazz Team Server authentication (change this value if you changed the user ID during or after installation of the server). If the server is configured for Windows authentication, enter the Windows user ID that was used when your account was added to the server (the user ID must be in the format \). v Password: Specify the password for your AppScan Enterprise Server user ID. v Database Host Name: Specify the fully-qualified host name for the machine on which you have installed the AppScan Source Database (for example, MachineD.mydomain.com). Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 15. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 16. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Logging into AppScan Source About this task Refer to the section below for a description of the fields requested when you log in. For detailed information, see the Chapter 12, “Logging in to AppScan Enterprise Server from AppScan Source products,” on page 113 topic in the IBM Security AppScan Source Installation and Administration Guide. 38 IBM Security AppScan Source: Installation and Administration Guide Procedure v User ID: Specify your user ID. v Password: Specify the password for your user ID. v AppScan Enterprise Server: Specify the hostname for your AppScan Enterprise Server instance in the existing URL format. For this installation scenario, specify the fully-qualified host name of the machine on which the AppScan Enterprise Server is installed. Tip: If the fully-qualified host name does not work, try entering the IP address of the host machine. Installing AppScan Source and integrating it with an existing AppScan Enterprise Server In this scenario, AppScan Source components are installed on one machine - and they are configured to connect to an existing AppScan Enterprise Server. About this task This scenario is divided into two sections: v “Installing AppScan Source” v “Logging into AppScan Source” on page 43 Important: v Before installing any component required for AppScan Source, consult the component's system requirements to ensure it supports your operating system. v These scenarios do not apply to OS X. To learn how to install AppScan Source on OS X, see “Installing AppScan Source on OS X” on page 71. Installing AppScan Source Procedure 1. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 3. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 4. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 5. In the Component Selection installation panel, select the components to install. AppScan Source components are divided into server and client components: a. To install AppScan Source server components, select Server Component Selection and then choose the components to install: Chapter 3. Sample installation scenarios 39 v AppScan Source Database v AppScan Source for Automation b. To install AppScan Source client components, select Client Component Selection and then choose the components to install: v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) v Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio 2010 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2010 on your system) v Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) By default, when Client Component Selection is selected, the AppScan Source for Development plug-in components are deselected and all other components are selected. After you have selected the components that you want to install, click Next to advance to the next installation panel. 6. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. 40 IBM Security AppScan Source: Installation and Administration Guide v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. 7. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 8. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page, the database selection panel displays. In this page, select one of: v Install solidDB v Install database into existing Oracle 11g Server For additional information about installing solidDB - or to an existing Oracle database - refer to the “Installing the database and configuring connections to AppScan Enterprise Server” on page 59 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 9. If you choose to install a solidDB database in the Database selection panel, you are prompted with the Configure IBM solidDB Admin User panel. In it, configure the solidDB database administrator account. The default database administrator user name and password are both dba. You cannot change this user name, however, the password can be changed. Chapter 3. Sample installation scenarios 41 Note: To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next advance to the next installation panel. 10. The Configure IBM solidDB AppScan Source User panel allows you to configure the solidDB AppScan Source database user account. You can retain the default user name, ounce, and default password, ounce. All components that read from or write to the AppScan Source Database use this account. Note: v If you change the user names and passwords, you must keep a record of the new configuration in case your IBM support representative requires access to your AppScan Source Database. v To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next to advance to the next installation panel. 11. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 12. Review and accept the terms of the license agreement and then click Next to continue. 13. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 14. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings and that the server has been configured for Jazz Team Server authentication. If the pre-filled settings are incorrect, select the Configure the AppScan Enterprise Server now check box and complete these settings: 42 IBM Security AppScan Source: Installation and Administration Guide v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance. v User ID: Specify your AppScan Enterprise Server user ID. By default, the user ID is ADMIN, which is the default if the server is configured for Jazz Team Server authentication (change this value if you changed the user ID during or after installation of the server). If the server is configured for Windows authentication, enter the Windows user ID that was used when your account was added to the server (the user ID must be in the format \). v Password: Specify the password for your AppScan Enterprise Server user ID. v Database Host Name: Specify the host name for the machine on which you have installed the AppScan Source Database. Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 15. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 16. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Logging into AppScan Source About this task Refer to the section below for a description of the fields requested when you log in. For detailed information, see the Chapter 12, “Logging in to AppScan Enterprise Server from AppScan Source products,” on page 113 topic in the IBM Security AppScan Source Installation and Administration Guide. Procedure v User ID: Specify your user ID. v Password: Specify the password for your user ID. v AppScan Enterprise Server: Specify the hostname for your AppScan Enterprise Server instance in the existing URL format. If the AppScan Enterprise Server is located on the same machine, specify https://localhost:9443/ase/ or Chapter 3. Sample installation scenarios 43 localhost. If the AppScan Enterprise Server is located on a remote machine, specify the fully-qualified host name of the machine on which it is installed. Tip: If the fully-qualified host name does not work, try entering the IP address of the host machine. Migrating Rational AppScan Source Edition Version 8.0.x or earlier to Version 8.6.x Prior to Version 8.5, Rational AppScan Source Edition (now called AppScan Source) included Rational AppScan Source Edition for Core. This server-based product provided the central repository for shared information. In Version 8.5, Rational AppScan Source Edition for Core was replaced with Rational AppScan Enterprise Server (now called AppScan Enterprise Server). This scenario describes the upgrade from Version 8.0.x or earlier to Version 8.6.x. About this task This scenario is divided into four sections: v “Installing IBM Rational License Server” v “Installing Rational AppScan Enterprise Server” on page 45 v “Upgrading Rational AppScan Source Edition” on page 46 v “Logging into Rational AppScan Source Edition” on page 48 Installing IBM Rational License Server Prior to Version 8.5, Rational License Server was only required for hosting Rational AppScan Source Edition floating licenses. As of Version 8.5, Rational License Server is required for hosting your Rational AppScan Enterprise Server license. About this task If you already have a supported version of Rational License Server installed, you can skip the portion of these instructions that cover Rational License Server installation - and proceed to the portion of the instructions that covers launching License Key Administrator and importing your license. Supported Rational License Server versions are outlined in the AppScan Enterprise Server system requirements (http://www.ibm.com/support/docview.wss?uid=swg27027541) and the AppScan Source system requirements (http://www.ibm.com/support/ docview.wss?uid=swg27027486). Procedure 1. Locate the Rational License Key Server image (on your Rational AppScan Source Edition product DVDs or that you downloaded as part of the Rational AppScan Source Edition eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run RLKSSERVER_SETUP\disk1\launchpad.exe. 3. In the Rational License Server installer, click Install or Update IBM Rational License Key Server. 4. If IBM Installation Manager is not already installed on your system, it will launch for installation purposes. a. On the first page of the Install Packages wizard, ensure that the IBM Installation Manager check box, and check boxes for all entries beneath it, are selected. Click Next. 44 IBM Security AppScan Source: Installation and Administration Guide b. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. c. In the Location page, specify the installation directory and then click Next. d. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. e. When the installation is complete, click Restart Installation Manager. This will launch Installation Manager and allow you to install 5. On the first page of the Install Packages wizard, ensure that the IBM Rational License Key Server check box, and check boxes for all entries beneath it, are selected. Click Next. 6. In the Prerequisites page, you are instructed to close all applications and disable anti-virus software. Complete these precautionary tasks and then click Next. 7. On the Licenses page, read the license agreement. If you agree to the terms of the license agreement, click I accept the terms in the license agreement and then click Next. 8. In the Location page, specify the installation directory and then click Next. 9. Complete the Package Group page according to your needs (for example, if you are using Installation Manager for the first time and have no existing package group, leave the default settings as-is). Click Next. 10. In the Translation Selection page, select the national languages that you want to install. Click Next. 11. On the Features page, ensure that all features are selected and then click Next. 12. A summary of what will be installed is shown on the Summary page. If you want to change your selections, click Back to return to the previous pages. When you are satisfied with your installation choices, click Install. 13. When the installation is complete, click Finish and close IBM Installation Manager. 14. Launch the IBM Rational License Key Administrator from the Windows Start menu (in the Programs menu, launch IBM Rational > License Key Administrator). 15. When the IBM Rational License Key Administrator starts, you are prompted with the License Key Administrator Wizard (if the wizard does not open automatically, select License Keys > License Key Wizard from the main menu). In this wizard, select Import a Rational License File and then click Next. 16. In the Import a License File panel, click Browse and then navigate to your Rational AppScan Enterprise Server license file. Open the file with the browse dialog box and then click Import. 17. After confirming the license or licenses that will be imported, the Restart License Server dialog box will open. Click Yes to restart the license server. If the License Server service fails to start, open the Windows Services administrative tool. In the tool, locate FLEXlm License Manager and start it. Installing Rational AppScan Enterprise Server To learn how to install the Enterprise Server, refer to the AppScan Enterprise Planning & Installation Guide or to the interactive installation guide at IBM Knowledge Center. Chapter 3. Sample installation scenarios 45 About this task The AppScan Enterprise Planning & Installation Guide accompanies the IBM Security AppScan Enterprise Server installation images. The interactive installation guide can be found at http://www.ibm.com/support/knowledgecenter/SSW2NF/ welcome (for example, the Version 9.0.1 interactive installation guide is available at http://www.ibm.com/support/knowledgecenter/SSW2NF_9.0.1/ com.ibm.ase.help.doc/topics/roadmap_ase_install.html). What to do next If AppScan Source was installed prior to installing the Enterprise Server, you will need to register the Database with the Enterprise Server. A utility for doing this is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the AppScan Source Installation and Administration Guide. If you need to uninstall the Enterprise Server, you must delete its installation directory before installing it again. Upgrading Rational AppScan Source Edition Procedure 1. Locate the Rational AppScan Source Edition product zip file (in your Rational AppScan Source Edition media pack - or the electronic image that you downloaded as part of a Rational AppScan Source Edition eAssembly at IBM Passport Advantage). 2. Extract the image to a local drive and, in the resulting directory, locate and run setup.exe. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Rational AppScan Source Edition Installation and Administration Guide. 3. 4. 5. 6. Note: There are images for each product in the Rational AppScan Source Edition family. The setup.exe file is located at the root of these zipped images. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. After you launch the installation wizard, the Welcome - Installation Upgrade Wizard panel opens and recommends that you quit any open applications. Click Next to proceed. The next installation panel advises you that the Database will be updated during the installation and that the update can take up to 30 minutes. You should not cancel the installation or power down your computer during the Database upgrade. Click Next. To facilitate Database maintenance, enter the credentials for your solidDB AppScan Source database user account and then click Next when you are ready to proceed with the Database upgrade. 7. In the language pack selection panel, choose the language packs to install. When you install a language pack, the Rational AppScan Source Edition user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a 46 IBM Security AppScan Source: Installation and Administration Guide language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 8. Review and accept the terms of the license agreement and then click Next to continue. 9. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 10. In the Rational AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the Rational AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings. If the pre-filled settings are incorrect, select the Configure the AppScan Enterprise Server now check box and complete these settings: v AppScan Enterprise Server: Specify the URL for your Rational AppScan Enterprise Server instance. v User ID: Specify your Rational AppScan Enterprise Server user ID. By default, the user ID is ADMIN. Change this value if you changed the user ID during or after installation of the server. v Password: Specify the password for your Rational AppScan Enterprise Server user ID. By default, the password is ADMIN. Change the value if you changed the password during or after installation of the server. v Database Host Name: Specify the host name for the machine on which you have installed the Rational AppScan Source Edition Database. Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with Rational AppScan Source Edition. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 11. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Rational AppScan Source Edition License Manager. Click Done to complete the standard installation and exit the Installation Wizard. Chapter 3. Sample installation scenarios 47 12. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Logging into Rational AppScan Source Edition About this task Refer to the section below for a description of the fields requested when you log in. For detailed information, see the Chapter 12, “Logging in to AppScan Enterprise Server from AppScan Source products,” on page 113 topic in the IBM Security AppScan Source Installation and Administration Guide. Procedure v User ID: Specify your user ID. v Password: Specify the password for your user ID. v AppScan Enterprise Server: Specify the hostname for your AppScan Enterprise Server instance in the existing URL format. For this installation scenario, specify https://localhost:9443/ase/ or localhost. 48 IBM Security AppScan Source: Installation and Administration Guide Chapter 4. Upgrading AppScan Source Procedure 1. Upgrade the AppScan Enterprise Server according to the installation instructions provided with it. See “AppScan Enterprise Server overview” on page 58 to learn more about the server. 2. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 3. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 4. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 5. After you launch the installation wizard, the Welcome - Installation Upgrade Wizard panel opens and recommends that you quit any open applications. Click Next to proceed. 6. If your existing installation included the AppScan Source Database, the Server Connection panel opens, followed by Database upgrade and maintenance panels. 7. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. © Copyright IBM Corp. 2003, 2014 49 – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. 8. The next installation panel advises you that the Database will be updated during the installation and that the update can take up to 30 minutes. You should not cancel the installation or power down your computer during the Database upgrade. Click Next. 9. To facilitate Database maintenance, enter the credentials for your solidDB AppScan Source database user account and then click Next when you are ready to proceed with the Database upgrade. 10. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 11. Review and accept the terms of the license agreement and then click Next to continue. 12. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 50 IBM Security AppScan Source: Installation and Administration Guide 13. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings and that the server has been configured for Jazz Team Server authentication. If the pre-filled settings are incorrect, select the Configure the AppScan Enterprise Server now check box and complete these settings: v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance. v User ID: Specify your AppScan Enterprise Server user ID. By default, the user ID is ADMIN, which is the default if the server is configured for Jazz Team Server authentication (change this value if you changed the user ID during or after installation of the server). If the server is configured for Windows authentication, enter the Windows user ID that was used when your account was added to the server (the user ID must be in the format \). v Password: Specify the password for your AppScan Enterprise Server user ID. v Database Host Name: Specify the host name for the machine on which you have installed the AppScan Source Database. Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 14. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 15. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Results As of AppScan Source Version 8.7, application data is stored outside of the installation directory. If you are upgrading from AppScan Source Version 8.6.x or earlier, your existing application data will be moved to the “Default AppScan Source data directory” on page 56. In addition, a backup of your existing (pre-Version 8.7) application data will be stored in /upgrade_backup Chapter 4. Upgrading AppScan Source 51 (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55). As of AppScan Source Version 9.0, the AppScan Source for Development Eclipse plug-in is supported on OS X. If you are upgrading from AppScan Source Version 8.8.x or earlier on OS X, AppScan Source for Development features will be available for install into Eclipse environments after the upgrade is complete (use of these features requires the appropriate license). For information about installing AppScan Source for Development to Eclipse environments, see “Applying the AppScan Source for Development (Eclipse plug-in) to Eclipse and supported Eclipse-based products” on page 76. 52 IBM Security AppScan Source: Installation and Administration Guide Chapter 5. Advanced installation and activation topics This section describes advanced installation options and activation procedures. AppScan Source software is downloaded from IBM Passport Advantage or purchased as a media pack. Activation licenses are acquired through the IBM Rational License Key Center. Self-extracting installation files are available for Windows, Linux, and OS X. They produce these setup files: v Windows: setup.exe v Linux: setup.bin.gz v OS X: setup.dmg The Installation Wizard guides you through the out-of-the-box installation of all AppScan Source components that are supported on the operating system on which you are installing. When the installation completes, you have the option to launch the activation License Manager from the final installation panel - or you can choose to activate the product at a later time. Important: You must activate the software before you can use it. You must be familiar with your environment and deployment requirements before installing AppScan Source components (see “AppScan Source deployment models” on page 8 for additional information). For example, to run AppScan Source for Analysis on a notebook computer that does not have connectivity to a remote AppScan Enterprise Server, you must install AppScan Source for Analysis and the AppScan Enterprise Server on the notebook. Standard Desktop A standard desktop installation consists of the client and server components necessary to run AppScan Source for Analysis on a single computer, even when disconnected from the network (this installation type requires that the AppScan Enterprise Server also be installed on the computer). Standard desktop installation component options include: v Server components: – AppScan Source Database – AppScan Source for Automation v Client components: – AppScan Source for Analysis – AppScan Source Command Line Interface – AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) – Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) © Copyright IBM Corp. 2003, 2014 53 – Windows only: AppScan Source for Development for Visual Studio 2010 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2010 on your system) – Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) Server Server components that you can choose to install include: v AppScan Source Database v AppScan Source for Automation Client Client components that you can choose to install include: v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) v Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio 2010 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2010 on your system) v Windows only: AppScan Source for Development for Visual Studio 2012 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2012 on your system) Starting the installation wizard The AppScan Source installation wizard runs on Microsoft Windows, Linux, and OS X operating systems. To start the installation: v Microsoft Windows: Run setup.exe v Linux: Run setup.bin v OS X: Open setup.dmg and then run the setup app Important: On Windows 8, the installer must be run in Windows 7 compatibility mode. To enable this, right-click setup.exe and select Properties. In the Properties window, select the Compatibility tab and then select the Run this program in compatibility mode for check box and set the menu to be Windows 7. Click OK to make the change and then run setup.exe to start the AppScan Source installation. The wizard checks for network port availability. If it finds conflicts, you must exit the installation. See Chapter 16, “Port configuration,” on page 123 for more details about required ports. When you first launch the installation wizard, you are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 54 IBM Security AppScan Source: Installation and Administration Guide After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure (see “Installation and user data file locations” for information about installation file locations). Note: If you have Rational AppScan Source Edition for Portfolio Manager Version 7.0 installed and you are using the installation wizard to upgrade Rational AppScan Source Edition Version 7.0 to a higher version, the installation process will cause Rational AppScan Source Edition for Portfolio Manager Version 7.0 to be removed from your computer. It is recommended that you back up your Rational AppScan Source Edition database before proceeding with removal of this product (in the event that you need to reinstall Rational AppScan Source Edition for Portfolio Manager Version 7.0 at a later time, the database backup can be used to reinstate your Rational AppScan Source Edition Version 7.0). The AppScan Source Version 8.x installation will prompt you before it removes Rational AppScan Source Edition for Portfolio Manager Version 7.0 from your computer. At that time, you will have the option of automatically creating a backup of the IBM solidDB that was installed with Rational AppScan Source Edition. If you choose this option, the backup will be saved to \solidDB\com.ouncelabs.db. (where is the location of your AppScan Source installation). For example, on Windows (32-bit), the backup will be saved to C:\Program Files\IBM\AppScan Source\solidDB\com.ouncelabs.db. by default. If you are using an Oracle database for your data, you should manually back up the database before attempting to upgrade to AppScan Source Version 8.x. Instructions for manually backing up databases can be found in “Backing up the AppScan Source Database” on page 70. To restore a solidDB database, follow the instructions in “Restoring the AppScan Source IBM solidDB database” on page 71. Installation and user data file locations When you install AppScan Source, user data and configuration files are stored outside of the installation directory. v “Default installation location” v “Default AppScan Source data directory” on page 56 v “AppScan Source temporary file location” on page 56 Default installation location When AppScan Source is installed, the software is placed in one of these default locations: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Chapter 5. Advanced installation and activation topics 55 Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Default AppScan Source data directory AppScan Source data consists of items such as configuration, sample, and log files. When AppScan Source is installed, data files are placed in these locations by default: v Microsoft Windows: :\ProgramData\IBM\AppScanSource Note: ProgramData\ is a hidden folder, and to see it you must modify your view preferences in Explorer to show hidden files and folders. v Linux: /var/opt/ibm/appscansource v OS X: /Users/Shared/AppScanSource To learn how to change the location of the AppScan Source data directory, see “Changing the AppScan Source data directory.” AppScan Source temporary file location Some AppScan Source operations result in the creation of temporary files, which are stored in these locations by default: v Microsoft Windows: :\ProgramData\IBM\AppScanSource\temp Note: ProgramData\ is a hidden folder, and to see it you must modify your view preferences in Explorer to show hidden files and folders. v Linux: /var/opt/ibm/appscansource/temp v OS X: /Users/Shared/AppScanSource/temp The temporary file location is always located in a temp directory in the AppScan Source data directory. You can change the temporary file location by changing the data directory, as described in “Changing the AppScan Source data directory.” This will cause the temp to be located in the data directory that you have chosen. Changing the AppScan Source data directory You may want to change the location of the AppScan Source data directory for the purpose of managing hard disk space. You can change the location after AppScan Source installation by following the steps in this topic. Before you begin Before completing this task, ensure that all AppScan Source client applications have been exited or shut down. AppScan Source client applications include: v AppScan Source for Analysis v AppScan Source for Development (Eclipse or Visual Studio plug-in)(supported only on Windows and Linux) v AppScan Source command line interface (CLI) 56 IBM Security AppScan Source: Installation and Administration Guide v AppScan Source for Automation In addition, if you have installed AppScan Source for Automation, ensure that the Automation Server has been shut down: v On Windows, stop the IBM Security AppScan Source Automation service. v On Linux, issue this command: /etc/init.d/ounceautod stop v On OS X, issue this command: launchctl stop com.ibm.appscan.autod Procedure 1. Define an APPSCAN_SOURCE_SHARED_DATA= environment variable, where is the location in which you want AppScan Source data to be stored. Note: v The location must be a complete and absolute path that already exists on the same machine as your AppScan Source installation. v The directory name can only contain English characters. Folders with names containing non-English characters are not permitted. 2. Locate the default data directory that was created when AppScan Source was installed (see “Default AppScan Source data directory” on page 56 to learn about default data directory locations). 3. Copy or move the contents of the default data directory to the location that is specified in the environment variable. 4. Applies only to AppScan Source for Automation installed on Linux: a. Edit the /etc/init.d/ounceautod file. b. Locate this line, su - ounce -c ’export LD_LIBRARY_PATH="/opt/IBM/AppScan_Source/bin":$LD_LIBRARY_PATH && cd "/opt/IBM/AppScan_Source/bin" && "/opt/IBM/AppScan_Source/bin/ounceautod" -s’ >> "/var/opt/ibm/appscansource/logs/ounceautod_output.log" 2>&1 & and replace it with this: su - ounce -c ’export APPSCAN_SOURCE_SHARED_DATA= && export LD_LIBRARY_PATH="/opt/IBM/AppScan_Source/bin":$LD_LIBRARY_PATH && cd "/opt/IBM/AppScan_Source/bin" && "/opt/IBM/AppScan_Source/bin/ounceautod" -s’ >> "/logs/ounceautod_output.log" 2>&1 & Note: The above command is one line. c. Save the /etc/init.d/ounceautod file. What to do next If v v v you have installed AppScan Source for Automation, start the Automation Server: On Windows, start the IBM Security AppScan Source Automation service. On Linux, issue this command: /etc/init.d/unceautod start On OS X, issue this command: launchctl start com.ibm.appscan.autod Chapter 5. Advanced installation and activation topics 57 AppScan Enterprise Server overview The AppScan Enterprise Server is a separately-installable component that is required for AppScan Source usage. Each AppScan Source product and component needs to be able communicate with an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. In addition, if your administrator has installed the Enterprise Console component of the AppScan Enterprise Server, you can publish assessments to it. The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards. To learn about the hardware and software required to run the AppScan Enterprise Server, see http://www.ibm.com/support/docview.wss?uid=swg27027541. For information about installing the AppScan Enterprise Server, refer to the AppScan Enterprise Planning & Installation Guide or to the AppScan Enterprise Server user assistance at IBM Knowledge Center (http://www.ibm.com/support/ knowledgecenter/SSW2NF/welcome). When used with AppScan Source, the AppScan Enterprise Server requires an IBM solidDB database server that you have installed with the AppScan Source installation wizard - or an existing Oracle database server that has AppScan Source schema and data applied by the AppScan Source installation wizard. Important: If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail. v If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying \config\ounce.ozsettings (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55)). In this file, locate this setting: In the setting, change value="0" to value="2" and then save the file. v If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the IBM Security AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server. To learn about the IBM Security AppScan Enterprise Server Database Configuration tool, see “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69. 58 IBM Security AppScan Source: Installation and Administration Guide Installing the database and configuring connections to AppScan Enterprise Server AppScan Source requires an IBM solidDB database server that you have installed with the AppScan Source installation wizard - or an existing Oracle database server that has AppScan Source schema and data applied by the AppScan Source installation wizard. The database persists AppScan Source Security Knowledgebase data, assessment data, and application/project inventory - and your options for database server installation and configuration are outlined in this topic. Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either solidDB or Oracle). Note: AppScan Source server components, such as the AppScan Source Database, are not supported on OS X. Install and configure solidDB During the installation process, you install the database and specify solidDB login settings so that AppScan Enterprise Server can connect to the database. To learn how to install for this scenario, see “Install and configure IBM solidDB.” Install to an existing Oracle database Apply the AppScan Source Database schema and data to an existing Oracle database. During the installation process, you specify Oracle database login settings so that AppScan Enterprise Server can connect to the database. To learn how to install for this scenario, see “Install to an existing Oracle database” on page 63. Install and configure IBM solidDB About this task This task topic describes the procedure for installing and configuring solidDB and the AppScan Enterprise Server. Procedure 1. Install the AppScan Enterprise Server according to the installation instructions provided with it. See “AppScan Enterprise Server overview” on page 58 to learn more about the server. 2. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 3. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. Chapter 5. Advanced installation and activation topics 59 4. In the Component Selection installation panel, select Server Component Selection and then ensure that AppScan Source Database is selected. Click Next to advance to the next installation panel. 5. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. 6. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource 60 IBM Security AppScan Source: Installation and Administration Guide v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 7. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page, the database selection panel displays. In this page, select the Install solidDB radio button and then click Next to advance to the next installation panel. 8. If you choose to install a solidDB database in the Database selection panel, you are prompted with the Configure IBM solidDB Admin User panel. In it, configure the solidDB database administrator account. The default database administrator user name and password are both dba. You cannot change this user name, however, the password can be changed. Note: To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next advance to the next installation panel. 9. The Configure IBM solidDB AppScan Source User panel allows you to configure the solidDB AppScan Source database user account. You can retain the default user name, ounce, and default password, ounce. All components that read from or write to the AppScan Source Database use this account. Note: v If you change the user names and passwords, you must keep a record of the new configuration in case your IBM support representative requires access to your AppScan Source Database. v To learn how to change the user password after completing the product installation, see Chapter 17, “Changing IBM solidDB user passwords after installation,” on page 125. Click Next to advance to the next installation panel. 10. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Chapter 5. Advanced installation and activation topics 61 Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 11. Review and accept the terms of the license agreement and then click Next to continue. 12. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 13. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings and that the server has been configured for Jazz Team Server authentication. If the pre-filled settings are incorrect, select the Configure the AppScan Enterprise Server now check box and complete these settings: v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance. v User ID: Specify your AppScan Enterprise Server user ID. By default, the user ID is ADMIN, which is the default if the server is configured for Jazz Team Server authentication (change this value if you changed the user ID during or after installation of the server). If the server is configured for Windows authentication, enter the Windows user ID that was used when your account was added to the server (the user ID must be in the format \). v Password: Specify the password for your AppScan Enterprise Server user ID. v Database Host Name: Specify the host name for the machine on which you have installed the AppScan Source Database. Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 14. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 15. In the License Manager utility: 62 IBM Security AppScan Source: Installation and Administration Guide a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Install to an existing Oracle database This task topic describes the procedure for installing the AppScan Source Database schema and data to an existing Oracle database. In order to create the Oracle schema, the AppScan Source installer must be run on the same machine on which the Oracle database is installed - or on a machine where the full Oracle client is installed (the installer must be able to access the Oracle sqlplus and sqlldr utilities). Procedure 1. Install the AppScan Enterprise Server according to the installation instructions provided with it. See “AppScan Enterprise Server overview” on page 58 to learn more about the server. 2. Locate the IBM Security AppScan Source product zip file (in your AppScan Source media pack - or the electronic image that you downloaded as part of an AppScan Source eAssembly at IBM Passport Advantage). 3. Extract the image to a local drive and, in the resulting directory, locate and run the setup file. Detailed information about launching the installation wizard can be found in the “Starting the installation wizard” on page 54 topic in the IBM Security AppScan Source Installation and Administration Guide. Note: There are images for each product in the AppScan Source family. The setup file is located at the root of these zipped images. 4. In the Component Selection installation panel, select Server Component Selection and then ensure that AppScan Source Database is selected. Click Next to advance to the next installation panel. 5. In the Server Connection panel, choose the option that describes the AppScan Enterprise Server that you will connect to: v I will use the instance found on this machine: This option displays if a compatible version of AppScan Enterprise Server has been detected on the machine. Select this option if you intend on connecting to that Enterprise Server when using AppScan Source. v I will install a compatible local instance of AppScan Enterprise server now: This option displays if a non-compatible version of AppScan Enterprise Server has been detected on the machine. If you intend on installing a compatible version of the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. v I will install a local instance of AppScan Enterprise server now: This option displays if AppScan Enterprise Server has not been detected on the machine. If you intend on installing the Enterprise Server on this machine, select this option and click Next. The next installation panel will guide you through Enterprise Server download options. Chapter 5. Advanced installation and activation topics 63 v I will connect to a remote AppScan Server instance: Selecting this option allows you to test the remote AppScan Enterprise Server to ensure that it is available for connection to AppScan Source. To test the server connection, complete these fields: – AppScan Enterprise Server: Specify the hostname for your remote AppScan Enterprise Server instance in the existing URL format. – User ID: Specify your AppScan Enterprise Server user ID. – Password: Specify the password for your AppScan Enterprise Server user ID. When the server settings have been entered, click Test Connection to ensure that the server will be available for connection to AppScan Source. v Let me proceed without specifying a server: Select this option to proceed without specifying a server. Important: If the Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you cannot test a connection to the server. In this case, proceed without specifying a server. After the installation of AppScan Source and the Enterprise Server are complete, follow the instructions for “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69, ensuring that the Force TLSv1.2 option is applied. Click Next to advance to the next installation panel. Note: If your selection in the Server Connection panel assumes an existing installation of AppScan Enterprise Server that is incompatible or does not exist, the Install Server panel opens. This panel guides you through Enterprise Server download options. 6. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 7. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page, the database selection panel displays. In this page, select the Install database into existing Oracle 11g Server radio button and then click Next to advance to the next installation panel. 64 IBM Security AppScan Source: Installation and Administration Guide 8. If the IBM Security AppScan Source Database component was selected for installation in the Server Component Selection page - and Install database into existing Oracle 11g Server was selected in the Database selection page the Oracle Database Server panel displays. In this page, specify: v Oracle Home: Specify the location of your Oracle installation. v Oracle TNS Location: This is the location where the tnsnames.ora file is located. By default, this is \network\admin (where is the location of your Oracle installation. v Oracle Service Name/SID: Specify the connection string or TNS Alias, for example //:/. Specifying a TNS Alias requires AppScan Enterprise Server configuration. See “Oracle TNS Alias configuration” on page 68 for details. v System User Name: Specify the Oracle user that will be used to perform the installation. This user name must have authority to create other users. The default value is system v System Password: Specify the password for the System User Name user. v Test Connection: Click this button to verify that the database settings and credentials that have been provided are correct. v AppScan User Name: Specify the AppScan Source Database user to create. The default value is ounce. v AppScan Password: Specify the password for the AppScan User Name user. The default value is ounce. v Direct Data Load check box: If selected, the initial AppScan Source data will be loaded via Oracle Direct Load. This check box is selected by default. v Sysdba User: If the Direct Data Load check box is selected, specify a user with sysdba privileges. The default value is sysdba. v Sysdba Password: Specify the password for Sysdba User. v Path to SqlPlus: Specify the path on disk to the sqlplus executable. This will be used to run sql scripts during the installation. The default value is sqlplus. An absolute path is not necessary if the sqlplus executable exists on the system path. v Path to Sqlldr: Specify the path on disk to the sqlldr executable. This will be used to load data during the installation. The default value is sqlldr. An absolute path is not necessary if the sqlldr executable exists on the system path. Important: After the installation completes with these settings, a new schema and AppScan Source Database user is automatically installed to your Oracle database. The AppScan Source Database user does not need to be created manually. Note: v After completing an installation that includes the installation of the AppScan Source Database schema and data to an existing Oracle database, please see \logs\core_exceptions.log (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55) to verify that no installation errors occurred. v If you are connecting the AppScan Enterprise Server to an Oracle database, you must set the character set to UTF-8 when creating the database (this is typically not the default character set). Chapter 5. Advanced installation and activation topics 65 v The AppScan Source installation requires, but does not install, the Oracle Instant Client (OCI) libraries. See “Installing the Oracle Client (OCI) libraries” on page 67 for more information. v If you specify a TNS Alias as the Oracle Connection String, you may see this error in the core_exceptions.log file: Unable to process the database transaction. Error: ORA-12154 (the message may be accompanied by error text from the Oracle database). To resolve this, complete one of these tasks: – Copy the Oracle tnsnames.ora file to \bin (where is the location of your AppScan Source installation). – Open \config\ounce.ozsettings (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55). In the file, locate the tns_admin setting and change its value to point to the directory that contains the Oracle tnsnames.ora file. Save the changes to the file. Click Next to advance to the next installation panel. 9. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 10. Review and accept the terms of the license agreement and then click Next to continue. 11. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 12. In the IBM Security AppScan Enterprise Server Configuration panel, specify the settings that will allow the database to connect to the AppScan Enterprise Server. By default, this installation panel pre-fills with entries that assume the database and server are installed on the same machine, with default settings and that the server has been configured for Jazz Team Server authentication. If the pre-filled settings are incorrect, select the Configure the AppScan Enterprise Server now check box and complete these settings: v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance. 66 IBM Security AppScan Source: Installation and Administration Guide v User ID: Specify your AppScan Enterprise Server user ID. By default, the user ID is ADMIN, which is the default if the server is configured for Jazz Team Server authentication (change this value if you changed the user ID during or after installation of the server). If the server is configured for Windows authentication, enter the Windows user ID that was used when your account was added to the server (the user ID must be in the format \). v Password: Specify the password for your AppScan Enterprise Server user ID. v Database Host Name: Specify the host name for the machine on which you have installed the AppScan Source Database. Note: The entry in this field should always be the fully-qualified host name of the machine on which the installer is running. This value should be pre-filled in this field at install time and should only be changed if the value has pre-filled incorrectly. Note: The server can also be configured post-installation using a utility that is included with AppScan Source. Information about this can be found in the “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 topic in the IBM Security AppScan Source Installation and Administration Guide. Click Next to advance to the next installation panel. 13. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 14. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Installing the Oracle Client (OCI) libraries The AppScan Source installation does not install the Oracle Client (OCI) libraries. If you are deploying AppScan Source using an Oracle database, every client machine running AppScan Source products must have an Oracle client installed in order to communicate with the database. To use an Oracle client you already have installed, you must ensure that the client libraries can be found by AppScan Source, according to the instructions in this topic. After the installation is complete, if you see a connection error in \logs\scanner_exceptions.log (on Windows) or /logs/scanner_exceptions.log (on Linux) (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55), this may be because the Oracle Client libraries cannot be found. On Linux, this error will state that libclntsh.so could not be found. On Windows, it will state that ociw32.dll could not be found. If you do not have an existing Oracle client installation, the Oracle Client can be downloaded from http://www.oracle.com/technology/tech/oci/instantclient/ index.html. Chapter 5. Advanced installation and activation topics 67 In order to create the Oracle schema, the AppScan Source installer must either be run on the same machine on which the Oracle database is installed, or on a machine on which the full Oracle client is installed. This is required so that the installer can access the Oracle sqlplus and sqlldr utilities. On Linux If it does not already exist on your system, you need to create a symbolic link in the $Oracle_Home\lib directory. This link should be called libclntsh.so, and should point to a specific version of this file. For example: v Oracle Version 11 client: lrwxrwxrwx 1 oracle oracle 63 Oct 2 14:16 libclntsh.so -> /u01/app/oracle/home/lib/libclntsh.so.11.1 v Oracle Version 10 client: lrwxrwxrwx 1 oracle oracle 63 Oct 2 14:16 libclntsh.so -> /u01/app/oracle/home/lib/libclntsh.so.10.1 In addition, the directory containing libclntsh.so must be included in your $LD_LIBRARY_PATH prior to running the installer. You may also need to set values for the NLS_LANG and ORA_NLS10 (or ORA_NLS11) environment variables. For example: export NLS_LANG=AMERICAN_AMERICA.AL32UTF8 export ORA_NLS10=$ORACLE_HOME/nls/data See your Oracle documentation for information about these variables. Automation Server: If you are using the AppScan Source for Automation server, you may have to edit the /etc/init.d/ounceautod start script to ensure that the Oracle client libraries are included in the $LD_LIBRARY_PATH for the user account of the ounceautod daemon. On Windows The %ORACLE_HOME%/bin directory must be included in your PATH environment variable. Oracle Instant Client The Oracle Instant Client is only supported when you are connecting to an existing Oracle database that has AppScan Source schema applied. v On Linux: The libclntsh.so symbolic link should be created in the same directory as your Oracle Instant Client libraries and this directory should be included in $LD_LIBRARY_PATH. Note: When using the Basic Lite version of the Oracle Instant Client, you should not set the ORA_NLS10 (or ORA_NLS11) variable. v On Windows: Ensure the Oracle Instant Client .dll files can be found in your PATH. Oracle TNS Alias configuration When configuring the connection to an Oracle database during AppScan Source installation, you can use a TNS Alias instead of an Oracle Connection String. Doing this requires AppScan Enterprise Server configuration, as outlined in this topic. 68 IBM Security AppScan Source: Installation and Administration Guide About this task For information, please see the Configuring an AppScan Source Oracle database with AppScan Enterprise Server topic at http://www.ibm.com/support/ knowledgecenter/SSW2NF/welcome. Registering the AppScan Source Database with AppScan Enterprise Server During AppScan Source installation, if valid settings have been entered, the AppScan Source Database should automatically be registered with the server. However, in the event that database registration does not complete or succeed, follow the instructions in this topic for completing the registration. AppScan Source includes a utility that allows you to register the database with the server. The tool is \bin\appscanserverdbmgr.bat (where is the location of your AppScan Source installation) - or /bin/appscanserverdbmgr.sh on Linux. If you are having database/server connection problems, this tool can be run at a command prompt (after the server and client components have been installed) with these parameters: Table 2. appscanserverdbmgr.bat parameters IBM Security AppScan Enterprise Server Database Configuration graphical user interface equivalent Parameter Description None Launches a graphical user interface that allows you to enter and validate your AppScan Enterprise Server and AppScan Source Database configuration information, as described below. -s URL for your AppScan Enterprise Server instance. For example, https://localhost:9443/ ase/. Server URL -u AppScan Enterprise Server and AppScan Source Database User ID. User ID -p Password for your AppScan Enterprise Server and AppScan Source Database User ID. Password -forceTLSv12 Specify true with this setting Force TLSv1.2 only if your AppScan Enterprise Server is enabled for NIST 800-131a compliance (failing to do this will cause server connections to fail). If your AppScan Enterprise Server is not enabled for NIST 800-131a compliance, specify false with this setting. Chapter 5. Advanced installation and activation topics 69 Table 2. appscanserverdbmgr.bat parameters (continued) IBM Security AppScan Enterprise Server Database Configuration graphical user interface equivalent Parameter Description -dbClient Specify 1 if your AppScan Source Database is IBM solidDB. Specify 2 if it is Oracle. IBM SolidDB or Oracle -dbConnString Database connection string (for example, "Driver={IBM solidDB 7.0 32-bit (ANSI)}"). Connection String If you are running an Oracle database, you can specify a TNS alias, if you have configured the server according to “Oracle TNS Alias configuration” on page 68. -dbConnInfo Database connection information (for example, "tcp myhostname.mydomain.com 2315"). Note: If localhost is specified rather than a fully-qualified host name, only the user of the local machine will be able to connect to the database. Connection Info -dbUserid User ID for your database user account. Database User ID -dbPassword Password for your database user account user ID. Password If you are using the graphical user interface, click Validate Connection after completing all entries in the AppScan Enterprise Server section. Once the entries have been validated, complete the entries in the AppScan Source Database section and click Validate Connection. When the database entries are validated, click Apply changes to register the database with the server. Backing up the AppScan Source Database It is recommended that you protect yourself from loss of data in the AppScan Source Database by following routine backup procedures. You should back up the AppScan Source Database before upgrading to a new version or removing a previous version of AppScan Source. To back up an Oracle database, contact the Oracle database administrator. To learn how to manually back up and restore the IBM solidDB database, consult the IBM solidDB Administrator Guide that is referenced in http://www.ibm.com/ support/docview.wss?rs=3457&uid=swg27017392. 70 IBM Security AppScan Source: Installation and Administration Guide Note: If you are upgrading AppScan Source Version 7.0 to Version 8.5, you will have the option of automatically creating a backup of solidDB that was installed with AppScan Source before removal of Rational AppScan Source Edition for Portfolio Manager Version 7.0 from your computer. If you choose this option, the backup will be saved to \solidDB\com.ouncelabs.db. (on Windows) or /solidDB/com.ouncelabs.db. (on Linux) (where is the location of your AppScan Source installation). For example, on Windows (32-bit), the backup will be saved to C:\Program Files\IBM\AppScan Source\solidDB\com.ouncelabs.db. by default. Restoring the AppScan Source IBM solidDB database To restore a solidDB database that you have backed up, follow the instructions in this task topic. Procedure 1. Stop the IBM Security AppScan Source DB service. 2. Locate \soliddb\logs (on Windows) or /soliddb/ logs (on Linux) (where is the location of your AppScan Source installation). Delete all files in that directory. 3. Copy the database backup to \solidDB\appscansrc (on Windows) or /solidDB/appscansrc (on Linux). 4. Start the IBM Security AppScan Source DB service. Installing AppScan Source on OS X This topic describes how to install the setup app on OS X. Procedure 1. Start the installation wizard. 2. Installation on OS X requires an administrator password. To enter the administrator password, click the lock icon in the Authentication panel. 3. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 4. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 5. In the Component Selection installation panel, select the components to install. AppScan Source components are divided into server and client components: a. To install AppScan Source server components, select Server Component Selection and then choose the components to install: v AppScan Source Database v AppScan Source for Automation b. To install AppScan Source client components, select Client Component Selection and then choose the components to install: v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Eclipse, RAD, Worklight (not selected by default) Chapter 5. Advanced installation and activation topics 71 v Windows only: AppScan Source for Development for Visual Studio 2008 (not selected by default)(this option is only available if the installer has detected Microsoft Visual Studio 2008 on your system) v Windows only: AppScan Source for Development for Visual Studio (not selected by default)(this option is only available if the installer detected Microsoft Visual Studio 2010 on your system) v Windows only: AppScan Source for Development for Visual Studio (not selected by default)(this option is only available if the installer detected Microsoft Visual Studio 2012 on your system) 2010 has 2012 has By default, when Client Component Selection is selected, the AppScan Source for Development plug-in components are deselected and all other components are selected. After you have selected the components that you want to install, click Next to advance to the next installation panel. 6. In the Installation Target Specification page, specify the installation directory. The default directory is /Applications/AppScanSource.app on OS X. Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. Click Next to advance to the next installation panel. 7. If the AppScan Source for Automation component was selected for installation, the IBM Security AppScan Source for Automation Configuration panel displays. In this page, specify: v Host Name: The host name or IP address of the AppScan Enterprise Server to which the Automation Server will connect. v User Name: The AppScan Source user that the Automation Server uses to process requests. v Password: AppScan Source user's password. v Confirm Password: Confirm the password. Click Next to advance to the next installation panel. Note: If you do not specify a user name and password during installation, you must configure AppScan Source for Automation after installation to run as an AppScan Source user by specifying login credentials from the command line. See the IBM Security AppScan Source Utilities User Guide for more information. 8. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 72 IBM Security AppScan Source: Installation and Administration Guide 9. Review and accept the terms of the license agreement and then click Next to continue. 10. Review the summary of installation options before proceeding. If you want to change your selections, click Previous to return to the previous pages. When you are satisfied with your installation choices, click Install. The installer copies files to the hard disk drive. For Linux server installations only: After copying files, you must identify the daemon user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with an existing user. (The installation validates that the user exists. Note that the selected user must have a valid shell.) During the installation, clicking Cancel at any time results in the uninstallation of all components. 11. In the Installation Complete panel, you can initiate product activation immediately after exiting the installation wizard by selecting Launch IBM Security AppScan Source License Manager. Click Done to complete the standard installation and exit the Installation Wizard. 12. In the License Manager utility: a. To apply a license file, click Import and then browse to your downloaded AppScan Source license. b. To apply a floating license, click Configure license servers and then click Add. Enter the information for the host machine that contains the floating license. See Chapter 8, “Activating the software,” on page 97 for additional activation instructions. Results If you installed AppScan Source for Automation and the user account that you specified for it in the Configuration installation panel does not already exist, you will need to create it manually (post-installation) with the AppScan Enterprise Server, AppScan Source for Analysis, or the AppScan Source command line interface (CLI). For complete access to AppScan Source for Automation capabilities, this user account requires these permissions: v Application and Project Management – Register – Scan v Assessment Management – Save Assessments – Publish Assessments Important: After installing on OS X, AppScan Source may fail to launch if the system host name cannot be resolved. In this case, you may receive a message that includes this warning: WARNING: "IOP00710208: (INTERNAL) Unable to determine local hostname from InetAddress.getLocalHost().getHostName()" This occurs because AppScan Source relies on interprocess communication, requiring that localhost and your system host name can be resolved to an IP address. Chapter 5. Advanced installation and activation topics 73 To resolve this, ensure that localhost and your system host name can be resolved using the nslookup Terminal command. If they cannot be resolved, one way to ensure that they can is to modify your /etc/hosts file to include them. In the /etc/hosts file, v Include a mapping of your host name to 127.0.0.1 v Include a mapping of localhost to 127.0.0.1 Installing AppScan Source for Development The AppScan Source for Development plug-ins are installed to your computer via the standard AppScan Source installation wizard. If you are upgrading the AppScan Source product to a new product version and want to apply the upgrade to the AppScan Source for Development Eclipse plug-ins, you must first uninstall the plug-ins from your Eclipse or Eclipse-based product. After you have upgraded AppScan Source, you can then install the updated plug-ins back to Eclipse or supported Eclipse-based products. Instructions for this are located in “Upgrading previously-installed versions of the AppScan Source for Development Eclipse plug-in to a new product version” on page 77. If you are upgrading the AppScan Source product as part of a fix pack upgrade, you do not need to uninstall the plug-ins before upgrading. Instructions for installing fix packs (and applying upgraded AppScan Source for Development plug-ins) can be found in “Fix pack installation” on page 81. AppScan Source for Development (plug-in for Eclipse, IBM Worklight, and Rational Application Developer for WebSphere Software (RAD)) If you are installing the AppScan Source for Development plug-in for Eclipse or Rational Application Developer for WebSphere Software (RAD), you will need to apply the plug-ins to your workbench after installing them to your computer. The application of the AppScan Source for Development Eclipse plug-in depends on the application of some Eclipse tools (the Graphical Editing Framework (GEF) and Draw2d). Most versions of Eclipse that are supported by AppScan Source for Development include these features. If yours does not, install these components into your Eclipse environment using the appropriate eclipse.org update site before installing AppScan Source for Development. Failure to do this may result in errors while applying the AppScan Source for Development plug-in to Eclipse. If you are upgrading the AppScan Source product to a new product version and want to apply the upgrade to theAppScan Source for Development Eclipse plug-ins, you must first uninstall the plug-ins from your Eclipse or Eclipse-based product. After you have upgraded AppScan Source, you can then install the updated plug-ins back to Eclipse or supported Eclipse-based products. Instructions for this are located in “Upgrading previously-installed versions of the AppScan Source for Development Eclipse plug-in to a new product version” on page 77. If you are upgrading the AppScan Source product as part of a fix pack upgrade, you do not need to uninstall the plug-ins before upgrading. Instructions for installing fix packs (and applying upgraded AppScan Source for Development plug-ins) can be found in “Fix pack installation” on page 81. Note: 74 IBM Security AppScan Source: Installation and Administration Guide Attempts to run some actions in AppScan Source for Development (Eclipse plug-in) (for example, launching a scan or starting actions that require a login) can result in this error message (or one that is similar to it): Unable to link native library shared-win32-x64.dll. You may need to install an appropriate Microsoft Visual C++ 2010 Redistributable Package for your system. When running on a 64-bit Java Runtime Environment, this typically indicates that the 64-bit Microsoft Visual C++ runtime library is unavailable. To resolve this problem, install the Microsoft Visual C++ 2010 Redistributable Package, available at http://www.microsoft.com/en-ca/download/details.aspx?id=14632. Installing the plug-in for Eclipse and Rational Application Developer for WebSphere Software (RAD) About this task The AppScan Source Client installation includes the AppScan Source for Development plug-in for Eclipse and Rational Application Developer for WebSphere Software (RAD) components. The installation also requires Eclipse Updates and the addition of the plug-in to your development environment. Procedure 1. Start the installation wizard. 2. You are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 3. After you launch the installation wizard, the Welcome - Installation Wizard panel opens and recommends that you quit any open applications. Click Next to begin the installation procedure. 4. Select AppScan Source for Development for Eclipse, RAD, Worklight from the list of client components. Click Next advance to the next installation panel. Important: After the AppScan Source for Development plug-in installation, you must update the features from the Eclipse or Application Developer IDE. 5. In the Installation Target Specification page, specify the installation directory. The default directories, by operating system, are: v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Important: v The installation directory name can only contain English characters. Folders with names containing non-English characters are not permitted. v If you are installing on Windows, you must have Administrator privileges to install AppScan Source components. Chapter 5. Advanced installation and activation topics 75 v If you are installing on Linux, you must have root privileges to install AppScan Source server components. Click Next to advance to the next installation panel. 6. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 7. Review and accept the terms of the license agreement and then click Next to continue. 8. Review the summary of installation options before copying files. Click Install. The installer copies files to the hard disk drive. Applying the AppScan Source for Development (Eclipse plug-in) to Eclipse and supported Eclipse-based products Eclipse and Eclipse-based products include a feature that allows you to install new software. You can use the feature to update your installation or browse to plug-ins that you want to add to your installation. The instructions in this topic guide you through the application of the AppScan Source for Development plug-in to Eclipse Versions 3.6, 3.7, 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, and 4.4 and RAD Versions 8.0.x, 8.5, 8.5.1, 9.0, 9.0.1, and 9.1 on Windows and Linux or RAD Versions 9.0, 9.0.1, and 9.1 on OS X. Procedure 1. Select Help > Install New Software from the main workbench menu bar. 2. In the Install dialog box Available Software page, click Add. 3. In the Add Site dialog box (in some versions of Eclipse, the dialog box is named Add Repository), specify a name for the update site in the Name field. 4. Follow these instructions for adding a site, depending on your operating system: a. Windows and Linux: Click Local. In the Browse for Folder dialog box, navigate to the AppScan Source installation directory (see “Default installation location” on page 55). Click OK to return to the Add Site dialog box and then click OK to add the update site. b. OS X: In the Location field, enter file:/Applications/AppScanSource.app/ and then click OK to add the update site. 5. The new site appears in the list. Complete this page according to your installation scenario: v Applying the plug-ins after a full product installation: Select the check box next to the IBM Security AppScan Source Security Analysis Feature local site. The application of the AppScan Source for Development Eclipse plug-in depends on the application of some Eclipse tools (the Graphical Editing 76 IBM Security AppScan Source: Installation and Administration Guide Framework (GEF) and Draw2d). Most versions of Eclipse that are supported by AppScan Source for Development include these features. If yours does not, install these components into your Eclipse environment using the appropriate eclipse.org update site before installing AppScan Source for Development. Failure to do this may result in errors while applying the AppScan Source for Development plug-in to Eclipse. v Applying the plug-ins after a fix pack installation: – If you are applying the plug-ins to a development environment to which you had already applied previous versions of the plug-ins, select the check box next to the IBM Security AppScan Source Security Analysis Feature local site. – If you are applying the plug-ins to a development environment that does not already include the plug-ins, follow the above instructions for Applying the plug-ins after a full product installation. Note: The IBM Security AppScan Source Security Analysis Feature local site should include a client feature for the fix pack version that you are applying. If this feature is not present, it may be necessary to refresh or recreate the local site. Click Next to proceed to the next Install panel. 6. In the Install Details page, review the items to be installed and then click Next. 7. In the Review Licenses page, accept the license agreement and then click Finish. 8. When prompted, restart Eclipse. The Security Analysis menu appears after the installation completes. The first time you attempt to use an AppScan Source action, a message will open asking if you want to use an AppScan Enterprise Server. If you do not use a server, you cannot access shared items such as filters, scan configurations, and custom rules. This setting can be changed later in the General Preferences. Additional AppScan Source for Development installation requirements The AppScan Source for Development Eclipse plug-in requires additional configuration. 1. The AppScan Source for Development plug-in for Eclipse requires a Java Runtime Environment (JRE) that is Version 1.5 or higher. If your environment points to a JRE that does not meet this requirement, edit the eclipse.ini file in the Eclipse installation directory so that it points to a JRE that does meet this requirement. For information about making this change to the eclipse.ini file, see the Specifying the JVM section of http://wiki.eclipse.org/Eclipse.ini. 2. The AppScan Source for Development plug-in for Eclipse on Linux (Eclipse or RAD) requires that you add the AppScan Source installation directory to the LD_LIBRARY_PATH. For example, if you use the bash shell, add this line to the ~/.bashrc initialization: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/ibm/appscansource Upgrading previously-installed versions of the AppScan Source for Development Eclipse plug-in to a new product version To upgrade the AppScan Source for Development Eclipse plug-in to a new product version, you must remove or disable the current plug-ins from the computer and then install the newer version. Chapter 5. Advanced installation and activation topics 77 About this task This task describes the process for upgrading various levels of Eclipse and Rational Application Developer for WebSphere Software (RAD) to apply the AppScan Source for Development Eclipse plug-in (full product installation). Important: This topic does not apply to fix pack upgrades. If you are upgrading the AppScan Source product as part of a fix pack upgrade, you do not need to uninstall the plug-ins before upgrading. Instructions for installing fix packs (and applying upgraded AppScan Source for Development plug-ins) can be found in “Fix pack installation” on page 81. Upgrading Eclipse and Rational Application Developer for WebSphere Software (RAD): Procedure 1. Depending on the workbench that you are running, select Help > About from the main workbench menu bar (where is the name of the Eclipse-based product that you are upgrading). 2. In the About dialog box, click Installation Details. 3. In the Details dialog box, multiselect the components that were added for the previously-installed version of AppScan Source. 4. Click Uninstall. 5. When the uninstall procedure completes, restart the workbench if prompted. 6. Follow the steps in “Applying the AppScan Source for Development (Eclipse plug-in) to Eclipse and supported Eclipse-based products” on page 76 for applying the new developer plug-ins. Installing the AppScan Source for Development plug-in for Visual Studio About this task Important: You must have Visual Studio 2008, Visual Studio 2010, or Visual Studio 2012 installed on your computer before installing the AppScan Source for Development plug-in for Visual Studio. The AppScan Source for Development plug-in for Visual Studio is only supported on Windows. If the AppScan Source setup wizard finds an installed version of one of these versions of Visual Studio, the AppScan Source for Development plug-in for that Visual Studio version appears as an installation option. Procedure 1. Ensure that Visual Studio is closed. If Visual Studio is running during the AppScan Source for Development installation, it will need to be restarted when the installation is complete. 2. Start the installation wizard. 3. Select the appropriate version of the plug-in from the list of client components: v AppScan Source for Development for Visual Studio 2008 v AppScan Source for Development for Visual Studio 2010 v AppScan Source for Development for Visual Studio 2008 Note: 78 IBM Security AppScan Source: Installation and Administration Guide v These options are only available for the version of Visual Studio that has been installed on the machine that is running the installation wizard. For example, if Visual Studio 2008 and Visual Studio 2010 are on the client machine, but Visual Studio 2012 is not, only options for installing AppScan Source for Development for Visual Studio 2008 and AppScan Source for Development for Visual Studio 2010 will be available in the installation wizard. v You can choose to install the plug-in for multiple versions of Visual Studio, if they have been detected by the installation wizard. Click Next advance to the next installation panel. 4. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 5. Review and accept the terms of the license agreement and then click Next to continue. 6. Review the summary of installation options before copying files. Click Install. The installer copies files to the hard disk drive. Installing AppScan Source for Automation About this task AppScan Source for Automation is an optional component in the installation packages. Important: To install AppScan Source for Automation, you must have root/administrator privileges. Procedure 1. Start the installation wizard. 2. Select Server Component Selection and then select AppScan Source for Automation as the component to install. Click Next advance to the next installation panel. 3. Specify the installation directory. v 32-bit versions of Microsoft Windows: :\Program Files\IBM\AppScanSource v 64-bit versions of Microsoft Windows: :\Program Files (x86)\IBM\AppScanSource v Linux: If you are the root user, the Installation Wizard installs your software in /opt/ibm/appscansource. If you are not the root user, you can install the Chapter 5. Advanced installation and activation topics 79 AppScan Source for Development Eclipse plug-in - which installs to /AppScan_Source by default. v OS X: /Applications/AppScanSource.app Click Next advance to the next installation panel. 4. In the IBM Security AppScan Source for Automation Configuration panel, specify: v Host Name: The host name or IP address of the AppScan Enterprise Server to which the Automation Server will connect. v User Name: The AppScan Source user that the Automation Server uses to process requests. v Password: AppScan Source user's password. v Confirm Password: Confirm the password. Click Next to advance to the next installation panel. Note: If you do not specify a user name and password during installation, you must configure AppScan Source for Automation after installation to run as an AppScan Source user by specifying login credentials from the command line. See the IBM Security AppScan Source Utilities User Guide for more information. 5. In the language pack selection panel, choose the language packs to install. When you install a language pack, the AppScan Source user interface will display in that language when it runs on an operating system that is running that locale. By default, English is selected (and cannot be deselected). If the installation wizard is displaying a national language other than English (in other words, a language other than English was selected in the installation wizard welcome panel), that language will also be selected in this panel (however, it can be deselected). After you have selected the language packs that you want to install, click Next to advance to the next installation panel. Note: If you do not install a specific language pack, you will not be able to add that language post-installation. 6. Review and accept the terms of the license agreement and then click Next to continue. 7. Review the summary of installation options before copying files. 8. The installation requests the following: v AppScan Enterprise Server: The host name or IP address of the AppScan Enterprise Server to which AppScan Source for Automation will connect. v User Name: The AppScan Source user that AppScan Source for Automation will use to process requests. v Password: The password for the user specified in the User Name field. v Confirm Password: Confirm the password. 9. Click Next to install the files, and then click Done to complete the installation. Results If the AppScan Source user account does not already exist, you will need to specify it in the AppScan Source for Automation Configuration installation panel and then create it manually (post-installation) with the AppScan Enterprise Server, AppScan 80 IBM Security AppScan Source: Installation and Administration Guide Source for Analysis, or the AppScan Source command line interface (CLI). For complete access to AppScan Source for Automation capabilities, this user account requires these permissions: v Application and Project Management – Register – Scan v Assessment Management – Save Assessments – Publish Assessments Syntax On Windows: \bin\ounceautod.exe -u -p --persist On Linux and OS X: /bin/ounceautod -u -p --persist Where: v is the location of your AppScan Source installation. v -u is the AppScan Source user with which the Automation Server authenticates when processing a request. The user must be created with the required permissions. v -p is the user's password. If you specify a user name, you must specify the password. v --persist preserves the login credentials on disk. Creates an encrypted key file with the specified user name and password. After you specify the user name and password, you can start the Automation Server: v On Windows, start the IBM Security AppScan Source for Automation service. v On Linux, start the daemon by issuing this command: /etc/init.d/ounceautod start v On OS X, issue this command: launchctl start com.ibm.appscan.autod Fix pack installation AppScan Source fix packs are delivered by delta installer. To apply an AppScan Source fix pack, follow the instructions in this help topic. About this task Important: You cannot create a custom installation with the fix pack installer. Procedure 1. Download and launch the fix pack installation executable file: v Microsoft Windows: – Run setup.exe to launch the installation wizard. – To run the installation silently, issue setup.exe -i silent -D$LICENSE_ACCEPTED$="true" at a command prompt, where: Chapter 5. Advanced installation and activation topics 81 - The -i silent parameter is used to indicate that the installation will run silently. - The -D$LICENSE_ACCEPTED$="true" parameter indicates that you accept the product license. v Linux: From a command prompt, – Issue the setup.bin command to launch the installation wizard. – To run the installation silently, issue setup.bin -i silent -D$LICENSE_ACCEPTED$="true", where: - The -i silent parameter is used to indicate that the installation will run silently. - The -D$LICENSE_ACCEPTED$="true" parameter indicates that you accept the product license. Note that, depending on the shell being used to run the installation, this parameter may need to be escaped by issuing -D\$LICENSE_ACCEPTED\$="true". v OS X: Open setup.dmg and then run the setup app. Note: Silent installation of fix packs is not supported on OS X. If you are installing with the installation wizard, complete the remaining steps. 2. When you first launch the installation wizard, you are presented with a screen that allows you to select the national language that will be displayed in the installation panels. Select the language and click OK to proceed. 3. Read the Welcome - Installation Upgrade Wizard panel, heeding any recommendations that it contains. Click Next to proceed. 4. In the Setup Confirmation panel, review the installation information summary before proceeding, and then click Install to apply the fix pack. 5. If you are upgrading an installation that included the AppScan Source Database, a database update installation panel will display (if the fix pack includes a database upgrade). In this panel, enter the credentials for the database user account and then click Start. When the database upgrade is complete, click Next. Note: v Upgrading solidDB: During the database upgrade, a backup of the existing database is created. If the database upgrade fails, the installer will revert to the backup and allow you to start the database upgrade again (if there are problems with the existing database that prevent the upgrade, you can restart the database upgrade after resolving the problems). v Upgrading Oracle: If the database upgrade fails, the installer will allow you to start the database upgrade again (if there are problems with the existing database that prevent the upgrade, you can restart the database upgrade after resolving the problems). 6. Review any messages in the Installation Complete panel and then click Done. It is recommended that you restart your system after the installation is complete. What to do next On Windows or Linux, if your development environment includes the AppScan Source for Development Eclipse plug-ins, you will need to apply the plug-ins to your workbench after installing the fix pack. Instructions for doing this can be found in this topic: 82 IBM Security AppScan Source: Installation and Administration Guide v “Applying the AppScan Source for Development (Eclipse plug-in) to Eclipse and supported Eclipse-based products” on page 76 Chapter 5. Advanced installation and activation topics 83 84 IBM Security AppScan Source: Installation and Administration Guide Chapter 6. Customizing the AppScan Source installation You can customize the installation for the purpose of creating a custom installation wizard - or you can create a custom installer that installs the product silently. Note: When applying fix packs, you cannot create custom installations. This section does not apply to fix pack installations. To learn how to run fix pack installations silently, see “Fix pack installation” on page 81. In an enterprise deployment, the AppScan Source administrator can customize the installation for specific classes of users. Creating a custom installation includes limiting the component availability, selection, or both, as well as defining default values for the installation attributes. With the Custom Installation Wizard, you can create as many custom installations as necessary, including silent installations. You can manage and standardize the manner in which all the users in your organization install AppScan Source products. If you are deploying AppScan Source throughout a large organization, it is most efficient first to install on a network server and then have users initiate installation from this central point of control. Creating a custom or silent installation AppScan Source includes a graphical Installation Configuration Wizard that an administrator can use to create a silent (noninteractive) installation or a custom graphical installation. When the administrator runs the installer to create a custom installation, a new configuration properties file is generated. This properties file is then available for use by the AppScan Source installer. The Installation Configuration Wizard can modify an existing configuration file or create a new configuration file. The wizard provides the ability to customize the installation by defining: v If the installation is interactive or silent. v Available components for installation (available for interactive installations only). v Default component selection (available for interactive installations only). v Which components are mandatory or automatically installed. v v v v Default installation folder. Default language packs to install. The license file or license server to be used. User account to be used by AppScan Source for Automation (if it is selected as a component or available component for installation). Note: If you create a custom silent installation, it will not succeed when running on any Turkish language locale (for example, tr and tr_TR). © Copyright IBM Corp. 2003, 2014 85 Launching the Installation Configuration Wizard This topic describes how to launch the Installation Configuration Wizard (the wizard that is used for creating a custom or silent installation file). About this task An administrator initiates the configuration tool by defining the environment variable OUNCE_CONFIG_FILE and pointing it to a properties file that will hold installation configuration settings. This file is then used for running custom or silent installations. Note: When setting OUNCE_CONFIG_FILE, do not put quotes around the value, even if the value contains spaces. Procedure v On Windows systems, issue these commands: set OUNCE_CONFIG_FILE= setup.exe Where is the fully-qualified path and filename of the properties file that will contain installation settings. For example, issue set OUNCE_CONFIG_FILE=C:\ install.properties to save installation settings to that file. v On Linux systems: export OUNCE_CONFIG_FILE= ./setup.bin Where is the fully-qualified path and filename of the properties file that will contain installation settings. v On OS X systems: 1. Issue this command against the AppScan Source setup.dmg file: hdiutil attach setup.dmg -shadow This will extract the setup.app directory into the /Volumes/AppScanSource directory. It will also create a setup.dmg.shadow file which you should delete after the installation is complete. 2. Initiate the creation of the properties file by issuing these commands: export OUNCE_CONFIG_FILE= ./setup.app Where is the fully-qualified path and filename of the properties file that will contain installation settings. Note that the filename must be install.properties on OS X. 3. Copy installer.properties to the /Volumes/AppScanSource/setup.app/ Contents/Resources directory. Results If the file name exists and is valid, the custom wizard uses the properties in the file as the default properties. You can save the configuration with the existing file name or a new file name. If the file name does not exist, the wizard uses the AppScan Source default properties, and the specified file name appears as the default when you save the configuration. Using the Custom Installation Configuration Wizard The Custom Installation Wizard appears and identifies that you are about to create a configuration file to use for an AppScan Source installation. 86 IBM Security AppScan Source: Installation and Administration Guide About this task If you run the Custom Installation Wizard on a Windows system, the Linux daemon user step appears. If a Windows installation uses the final configuration file, it ignores this value. Procedure 1. In the Silent Installation Option panel, configure the installation type by indicating if the installation should be silent or not. Select No if you want to create an interactive custom installation. Note: If you create a custom silent installation, it will not succeed when running on any Turkish language locale (for example, tr and tr_TR). Click Next to advance to the next installation panel. 2. Interactive custom installations only: If you are creating an interactive custom installer (No was selected in the Silent Installation Option panel), you will need to complete three Component Selection panels: a. In the first panel, select the AppScan Source components that will be available (or display) in the interactive custom installation: v AppScan Source for Automation v v v v v v AppScan AppScan AppScan AppScan AppScan AppScan Source Source Source Source Source Source for Analysis Command Line Interface for Development for Visual Studio 2012 for Development for Visual Studio 2010 for Development for Visual Studio 2008 for Development for Eclipse, RAD, Worklight Note: If the target operating system does not support a selected component - or if a selected component relies on software that does not exist on the system - the installation will ignore it, even if it is selected. For example, if the custom installer will be used for installing on a system that does not have a supported version of Microsoft Visual Studio installed on it, selecting AppScan Source for Development for Visual Studio 2012 for installation will be ignored when the custom installer is deployed. The remaining Component Selection panels allow you to indicate if displayed components are selected by default or enabled in the installation panel (components that are not enabled are greyed out when the installer is deployed and cannot be selected). For example, you may want the custom installer to force the installation of a component. You can achieve this by having the component selected by default, but not enabled. If a component is set to be available, but not selected by default or enabled, the component will not install (it will be greyed out and not selected for installation). Click Next to advance to the next installation panel. b. The next Component Selection panel only displays components that were selected to be available in the interactive custom installation. In this panel, identify which available components are to be selected by default. Click Next to advance to the next installation panel. c. Identify the components to enable for user selection/deselection in the custom installation. Disabling a component makes the installation of that component mandatory (provided it has been set to be selected by default). Click Next to advance to the next installation panel. Chapter 6. Customizing the AppScan Source installation 87 3. Silent custom installations only: If you are creating a silent custom installer (Yes was selected in the Silent Installation Option panel), select the AppScan Source components that the silent installer will install: v v v v v v v AppScan AppScan AppScan AppScan AppScan AppScan AppScan Source Source Source Source Source Source Source for Automation for Analysis Command Line Interface for Development for Visual Studio 2012 for Development for Visual Studio 2010 for Development for Visual Studio 2008 for Development for Eclipse, RAD, Worklight Note: If the target operating system does not support a selected component or if a selected component relies on software that does not exist on the system the installation will ignore it, even if it is selected. For example, if the custom installer will be used for installing on a system that does not have a supported version of Microsoft Visual Studio installed on it, selecting AppScan Source for Development for Visual Studio 2012 for installation will be ignored when the custom installer is deployed. 4. Select the target installation directory. For a silent installation, this is the installation directory. For an interactive installation, this is the default value. Tip: If you run the wizard with an existing configuration file, it reads the values from the file and uses them as the default values. Click Next to advance to the next installation panel. 5. In the License File Specification panel, specify the location of your license file or indicate the host name and port of your license server. Click Next to advance to the next installation panel. 6. In the Specify Properties File panel, specify the name and location of the target properties file. If the wizard uses an existing configuration file, the default path name appears. You can change the file name to create a new configuration file. For Linux server installations only: Identify which Linux user will run the AppScan Source daemons. After copying files, you must identify the service user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with the existing user. (The installation validates that user. Note that the selected user must have a valid shell.) Click Next to save the properties file. Running a custom or silent installation This topic describes, by platform, how to run a custom or silent installation from a command line. Before you begin When launching the wizard that allows you to create a custom installation (see “Launching the Installation Configuration Wizard” on page 86), you create an OUNCE_CONFIG_FILE environment variable. Before running the custom installation, ensure that this environment variable is removed. Procedure v On Windows systems, issue this command: setup.exe -f c:\install.properties 88 IBM Security AppScan Source: Installation and Administration Guide v On Linux systems: setup.bin -f /usr/local/share/my_configs/custom_install.properties v On OS X systems: 1. Issue this command: sudo open /Volumes/AppScanSource/setup.app/Contents/MacOS/setup.app 2. When creating the properties file as explained in “Launching the Installation Configuration Wizard” on page 86, a volume was created for the AppScan Source setup.dmg file. After the installation is complete, issue this command to detach the volume: hdiutil detach /Volumes/AppScanSource Note: During installation, the Setup icon appears in the dock. Installation is complete when the icon no longer appears. 3. When creating the properties file as explained in “Launching the Installation Configuration Wizard” on page 86, a setup.dmg.shadow was created. To remove this file, issue this command: rm -f setup.dmg.shadow Example: Install AppScan Source through a custom installation This example illustrates how you might deploy a custom installation wizard. About this task An Information Technology (IT) department wants to limit or control the installation options for targeted users. Before creating the custom installation, the administrator deploys the AppScan Source software installation files to a file server to which the user has access. The IT department also identifies the different installation configurations based on the various AppScan Source products that each type of user requires. To install AppScan Source with a custom installation: Procedure 1. The IT department copies the appropriate contents either from the AppScan Source installation CD or from an FTP download onto the file server. 2. IT uses the Custom Installation Wizard to create the required installation configuration files for each required installation type, such as AppScan Source for Development and AppScan Source for Analysis. 3. IT places configuration files in a shared public folder. 4. IT sends email to appropriate users. The email contains the hyperlink that when clicked, initiates the appropriate AppScan Source installation for that user. 5. The user checks email and sees a link to the installation location of applicable AppScan Source products. 6. The user initiates the installation from the hyperlink in the email. For example, the hyperlink accesses an IT-provided .bat file or script that makes the appropriate call to setup -f install.properties. 7. The AppScan Source installation begins, displaying the default, but modifiable, options as defined by the IT custom installation configuration. (This includes the Component Selection wizard page.) Chapter 6. Customizing the AppScan Source installation 89 Results After this installation: v The appropriate AppScan Source products are on the desktop v The default Host Server is identified v The license file is copied to the target computer (optional) 90 IBM Security AppScan Source: Installation and Administration Guide Chapter 7. AppScan Source silent installers The AppScan Source custom installation wizard is used for creating silent installers. To learn about customizing AppScan Source installations, see Chapter 6, “Customizing the AppScan Source installation,” on page 85. Note: When applying fix packs, you cannot create custom installations. This section does not apply to fix pack installations. To learn how to run fix pack installations silently, see “Fix pack installation” on page 81. Creating a custom or silent installation AppScan Source includes a graphical Installation Configuration Wizard that an administrator can use to create a silent (noninteractive) installation or a custom graphical installation. When the administrator runs the installer to create a custom installation, a new configuration properties file is generated. This properties file is then available for use by the AppScan Source installer. The Installation Configuration Wizard can modify an existing configuration file or create a new configuration file. The wizard provides the ability to customize the installation by defining: v If the installation is interactive or silent. v Available components for installation (available for interactive installations only). v v v v v v Default component selection (available for interactive installations only). Which components are mandatory or automatically installed. Default installation folder. Default language packs to install. The license file or license server to be used. User account to be used by AppScan Source for Automation (if it is selected as a component or available component for installation). Note: If you create a custom silent installation, it will not succeed when running on any Turkish language locale (for example, tr and tr_TR). Launching the Installation Configuration Wizard This topic describes how to launch the Installation Configuration Wizard (the wizard that is used for creating a custom or silent installation file). About this task An administrator initiates the configuration tool by defining the environment variable OUNCE_CONFIG_FILE and pointing it to a properties file that will hold installation configuration settings. This file is then used for running custom or silent installations. © Copyright IBM Corp. 2003, 2014 91 Note: When setting OUNCE_CONFIG_FILE, do not put quotes around the value, even if the value contains spaces. Procedure v On Windows systems, issue these commands: set OUNCE_CONFIG_FILE= setup.exe Where is the fully-qualified path and filename of the properties file that will contain installation settings. For example, issue set OUNCE_CONFIG_FILE=C:\ install.properties to save installation settings to that file. v On Linux systems: export OUNCE_CONFIG_FILE= ./setup.bin Where is the fully-qualified path and filename of the properties file that will contain installation settings. v On OS X systems: 1. Issue this command against the AppScan Source setup.dmg file: hdiutil attach setup.dmg -shadow This will extract the setup.app directory into the /Volumes/AppScanSource directory. It will also create a setup.dmg.shadow file which you should delete after the installation is complete. 2. Initiate the creation of the properties file by issuing these commands: export OUNCE_CONFIG_FILE= ./setup.app Where is the fully-qualified path and filename of the properties file that will contain installation settings. Note that the filename must be install.properties on OS X. 3. Copy installer.properties to the /Volumes/AppScanSource/setup.app/ Contents/Resources directory. Results If the file name exists and is valid, the custom wizard uses the properties in the file as the default properties. You can save the configuration with the existing file name or a new file name. If the file name does not exist, the wizard uses the AppScan Source default properties, and the specified file name appears as the default when you save the configuration. Using the Custom Installation Configuration Wizard The Custom Installation Wizard appears and identifies that you are about to create a configuration file to use for an AppScan Source installation. About this task If you run the Custom Installation Wizard on a Windows system, the Linux daemon user step appears. If a Windows installation uses the final configuration file, it ignores this value. Procedure 1. In the Silent Installation Option panel, configure the installation type by indicating if the installation should be silent or not. Select No if you want to create an interactive custom installation. 92 IBM Security AppScan Source: Installation and Administration Guide Note: If you create a custom silent installation, it will not succeed when running on any Turkish language locale (for example, tr and tr_TR). Click Next to advance to the next installation panel. 2. Interactive custom installations only: If you are creating an interactive custom installer (No was selected in the Silent Installation Option panel), you will need to complete three Component Selection panels: a. In the first panel, select the AppScan Source components that will be available (or display) in the interactive custom installation: v AppScan Source for Automation v AppScan Source for Analysis v AppScan Source Command Line Interface v AppScan Source for Development for Visual Studio 2012 v AppScan Source for Development for Visual Studio 2010 v AppScan Source for Development for Visual Studio 2008 v AppScan Source for Development for Eclipse, RAD, Worklight Note: If the target operating system does not support a selected component - or if a selected component relies on software that does not exist on the system - the installation will ignore it, even if it is selected. For example, if the custom installer will be used for installing on a system that does not have a supported version of Microsoft Visual Studio installed on it, selecting AppScan Source for Development for Visual Studio 2012 for installation will be ignored when the custom installer is deployed. The remaining Component Selection panels allow you to indicate if displayed components are selected by default or enabled in the installation panel (components that are not enabled are greyed out when the installer is deployed and cannot be selected). For example, you may want the custom installer to force the installation of a component. You can achieve this by having the component selected by default, but not enabled. If a component is set to be available, but not selected by default or enabled, the component will not install (it will be greyed out and not selected for installation). Click Next to advance to the next installation panel. b. The next Component Selection panel only displays components that were selected to be available in the interactive custom installation. In this panel, identify which available components are to be selected by default. Click Next to advance to the next installation panel. c. Identify the components to enable for user selection/deselection in the custom installation. Disabling a component makes the installation of that component mandatory (provided it has been set to be selected by default). Click Next to advance to the next installation panel. 3. Silent custom installations only: If you are creating a silent custom installer (Yes was selected in the Silent Installation Option panel), select the AppScan Source components that the silent installer will install: v v v v v v AppScan AppScan AppScan AppScan AppScan AppScan Source Source Source Source Source Source for Automation for Analysis Command Line Interface for Development for Visual Studio 2012 for Development for Visual Studio 2010 for Development for Visual Studio 2008 Chapter 7. AppScan Source silent installers 93 v AppScan Source for Development for Eclipse, RAD, Worklight Note: If the target operating system does not support a selected component or if a selected component relies on software that does not exist on the system the installation will ignore it, even if it is selected. For example, if the custom installer will be used for installing on a system that does not have a supported version of Microsoft Visual Studio installed on it, selecting AppScan Source for Development for Visual Studio 2012 for installation will be ignored when the custom installer is deployed. 4. Select the target installation directory. For a silent installation, this is the installation directory. For an interactive installation, this is the default value. Tip: If you run the wizard with an existing configuration file, it reads the values from the file and uses them as the default values. Click Next to advance to the next installation panel. 5. In the License File Specification panel, specify the location of your license file or indicate the host name and port of your license server. Click Next to advance to the next installation panel. 6. In the Specify Properties File panel, specify the name and location of the target properties file. If the wizard uses an existing configuration file, the default path name appears. You can change the file name to create a new configuration file. For Linux server installations only: Identify which Linux user will run the AppScan Source daemons. After copying files, you must identify the service user. Select Create User 'ounce' or Run with Existing User, either to create the default user, ounce, or run with the existing user. (The installation validates that user. Note that the selected user must have a valid shell.) Click Next to save the properties file. Running a custom or silent installation This topic describes, by platform, how to run a custom or silent installation from a command line. Before you begin When launching the wizard that allows you to create a custom installation (see “Launching the Installation Configuration Wizard” on page 86), you create an OUNCE_CONFIG_FILE environment variable. Before running the custom installation, ensure that this environment variable is removed. Procedure v On Windows systems, issue this command: setup.exe -f c:\install.properties v On Linux systems: setup.bin -f /usr/local/share/my_configs/custom_install.properties v On OS X systems: 1. Issue this command: sudo open /Volumes/AppScanSource/setup.app/Contents/MacOS/setup.app 2. When creating the properties file as explained in “Launching the Installation Configuration Wizard” on page 86, a volume was created for the AppScan Source setup.dmg file. After the installation is complete, issue this command to detach the volume: 94 IBM Security AppScan Source: Installation and Administration Guide hdiutil detach /Volumes/AppScanSource Note: During installation, the Setup icon appears in the dock. Installation is complete when the icon no longer appears. 3. When creating the properties file as explained in “Launching the Installation Configuration Wizard” on page 86, a setup.dmg.shadow was created. To remove this file, issue this command: rm -f setup.dmg.shadow Example: Install AppScan Source silently through an Installation Framework This example illustrates how you might deploy a silent installation. About this task An Information Technology (IT) department wants to install the v client components silently through their installation framework. Before creating the client custom installation, the AppScan Source administrator deploys the installation files to a file server to which the installation framework has access. The IT department also identifies the different installation configurations based on the various AppScan Source components that each type of user requires. To install AppScan Source with a custom silent installation: Procedure 1. The IT department copies the appropriate contents either from the AppScan Source installation CD or from an FTP download onto the file server. 2. IT uses the Custom Installation Wizard to create the required installation configuration files for each required installation type, such as AppScan Source for Development and AppScan Source for Analysis. 3. IT places the configuration files in a shared public folder. 4. IT configures the installation framework to recognize the AppScan Source installation and associates appropriate command line calls and installation configurations into the installation framework. 5. The user checks for updates through the installation framework client (on the desktop) and the appropriate (user-specific) AppScan Source product displays in the list for installation. 6. The user initiates installation through the installation framework client. 7. AppScan Source silently installs on the user's desktop computer. Results After this installation: v The appropriate AppScan Source products are installed on the desktop and configured to connect to theAppScan Enterprise Server. v The license file is copied to the target computer. Chapter 7. AppScan Source silent installers 95 96 IBM Security AppScan Source: Installation and Administration Guide Chapter 8. Activating the software You must activate your software before you can use any AppScan Source product. AppScan Source provides a License Manager utility that is used for loading and updating license information on your client machine. This utility allows you to view your current license status - or you can use the utility to activate the product by importing a license file or by using a floating license on a license server. When you launch License Manager, it will scan for any licenses that have previously been loaded. After installing your AppScan Source product, you have three choices for activation: v You can launch the License Manager utility from the product installation wizard (upon installation completion). v You can launch the License Manager utility after installing the product: – On Windows, launch the utility from the Start menu (in the Programs menu, launch IBM Security AppScan Source > AppScan Source License Manager). – On Linux, locate /bin (where is the location of your AppScan Source installation) and run licensemgr.sh by issuing the command ./licensemgr.sh. – On OSX, locate /Applications/AppScanSource.app/bin and run licensemgr.sh by issuing the command ./licensemgr.sh. v You can launch the product. If a license has not already been applied for product usage, you will receive a message indicating that a license must be applied before the product can be used. If you click OK in this message, the License Manager utility will open. To learn more about obtaining and applying licenses for AppScan Source products, see http://www.ibm.com/support/docview.wss?uid=swg21405482. Note: v The License Manager utility must be launched from the installation wizard or Windows Start menu if you are activating a product with a command-line user interface. If you attempt to use a product with a command line interface without first activating the software, you will receive an error message prompting you to activate your software through the License Manager utility. v If you are running the AppScan Enterprise Server without first applying a license, you will receive an error message when you attempt to connect to the server. v For complete use of AppScan Source for Development functionality, its license must be applied with the license for AppScan Source for Remediation. Importing a license file This task topic describes the procedure for importing AppScan Source license files. Procedure 1. AppScan Source license files have a .upd or .txt file extension. Ensure that the license is available on your local file system or on a mapped drive. 2. Click Import license. © Copyright IBM Corp. 2003, 2014 97 3. Use the Import license file dialog box to browse for the license file. Select the license file and then click OK. Note: If you are browsing for a license file on OS X, the contents of the Import license file dialog box may stop displaying (a folder will open, however, its contents do not display). To workaround this, select a different folder - and then re-select the folder whose contents you want to display. 4. When the License file has been imported successfully message appears, click OK to complete activation. 5. Close License Manager to begin using the license when you launch the installed product or products. Using a floating license This task topic describes the procedure for configuring a license server or multiple license servers for floating license activation. Procedure 1. Click Configure license servers to open the Configure license servers dialog box. 2. Click Add. 3. Enter the Host name and Port of a license server and then click Save Changes. Repeat this step to add multiple license servers. Note: The default port for the license server is 27000. Edit this value only if you have set the license server to run on a different port. 4. If you add a license server and need to edit its host name or port, select the server in the list. This will populate the Host name and Port fields. You can edit these settings and then click Save Changes to save the changes to the license server settings. 5. If you add multiple license servers, they will be scanned in the order that they appear in the list in this dialog box. If a floating license for an AppScan Source feature is found, the scan for floating licenses will stop. To change the order in which servers are scanned, select the server that you want to move in the list and then click Up or Down. 6. Click OK when you have configured all license servers. Results After the dialog box closes, the configured license servers are searched for AppScan Source feature floating licenses. When found, they appear in the License Manager license list. If you modify the license server, click Refresh to ensure that License Manager has access to the current license server information. When you are finished configuring floating license servers, close License Manager to begin using the license or licenses when you launch the installed product or products. Note: AppScan Source floating licenses must be hosted on a Rational License Server Version 8 or higher. If they are hosted on a lower level of Rational License Server, they will be visible in License Manager, however AppScan Source will fail to use them. 98 IBM Security AppScan Source: Installation and Administration Guide For teams that use AppScan Source for Development, floating scanning licenses can be released directly from the user interface, allowing other team members to acquire licenses when they need them. In local mode, there is a Release Scanning License action - whereas, in server mode, the license is released as part of the Log Out from Server action. After a license is released, it will automatically be reacquired when a scan is initiated (if a license is available). Viewing licenses The list of licenses in the License Manager utility indicates: v The AppScan Source products and features that the license or licenses apply to (licenses for other IBM products will not appear in this utility). v The license type: Licenses are either floating or nodelocked (indicating an imported license file). v License expiration: The number of days left in the license is displayed. If the number of days is greater than 365, the license expiration is simply marked Valid. v The total number of licenses available on all specified servers. Chapter 8. Activating the software 99 100 IBM Security AppScan Source: Installation and Administration Guide Chapter 9. Removing AppScan Source from your system You can remove AppScan Source from the Windows Control Panel or with a Linux or OS X uninstall script. The AppScan Source uninstall does not remove or back up an installed Oracle database. Deleting the AppScan Source user from an Oracle instance is a manual database administrative task. About this task v “Removing from Microsoft Windows platforms” v “Removing from Linux platforms” v “Removing from OS X platforms” Removing from Microsoft Windows platforms Procedure 1. Use the Control Panel option for removing programs. For example, on Windows 7, select the Programs and Features option in the Control Panel. 2. Choose the appropriate action for removing IBM Security AppScan Source from the list of installed programs. Removing from Linux platforms When you install on Linux, a script is created that you can run to remove AppScan Source. About this task If you uninstall, you must uninstall as the same user who installed. If you installed the software as root on Linux, you must uninstall as root. Procedure 1. Locate the script, /Uninstall_AppScan/AppScan_Uninstaller (where is the location of your AppScan Source installation). 2. Run this script (using sudo) to display the wizard that is used for removing the product. Removing from OS X platforms When you install on OS X, a script is created that you can run to remove AppScan Source. About this task If you uninstall, you must uninstall as the same user who installed. Procedure 1. Locate the script, /Uninstall_AppScan/AppScan_Uninstaller.sh (where is the location of your AppScan Source installation). 2. Run this script (using sudo) to display the wizard that is used for removing the product. © Copyright IBM Corp. 2003, 2014 101 102 IBM Security AppScan Source: Installation and Administration Guide Chapter 10. Administering AppScan Source This section explains user management, permissions, application and project registration, and port configuration. Your AppScan Source administrator is responsible for deploying and installing the AppScan Enterprise Server and AppScan Source products - and creating users with the appropriate privileges and permissions (or configuring automatic login for AppScan Enterprise Server users). The administrator must understand the role of each user and the required deployment model to complete these tasks. It is also necessary for the administrator to know if other systems, such as defect tracking and Directory Server, must be integrated with AppScan Source and the AppScan Enterprise Server. It is also important to understand the installation configurations of AppScan Source for Analysis and the AppScan Enterprise Server, how to connect to the server, and the available functionality for each user. For example, the administrator must be familiar with how to configure AppScan Source applications and projects and how to register and publish them. See the IBM Security AppScan Source for Analysis User Guide for more detailed information. Typically, administrators will have users log in to AppScan Source products with their AppScan Enterprise Server credentials. However, if there is cause for having AppScan Source users that do not exist in the AppScan Enterprise Server, administrators can create local AppScan Source users (see “Creating AppScan Source users” on page 104). User accounts and permissions Before AppScan Source users can begin to scan or triage results, an administrator must create user accounts and assign permissions to the accounts. AppScan Source user permissions are stored in the AppScan Source Database and applied when a user is logged in to the AppScan Enterprise Server. Users that run AppScan Source for Development in local mode have full AppScan Source permissions. When you create a user, you establish a role for that user and identify the permissions available for that user. Permissions identify the allowable AppScan Source tasks for that user. Tasks not specifically identified as part of a permission are available to all users. Note: You cannot modify a user ID. You must delete the user account and recreate the user with the same user ID. Permission Group Permission Application and Project Management Register (Register and unregister applications and projects) Scan View Registered Manage Attributes © Copyright IBM Corp. 2003, 2014 103 Permission Group Permission Apply Attributes Assessment Management Delete Published Assessments Save Assessments Publish Assessments View Published Assessments Knowledgebase Management Manage Custom Rules Manage Patterns Administration Manage Users Manage AppScan Enterprise Settings Filter Management Manage Shared Filters Scan Configurations Manage Shared Configurations (sharing scan configurations and editing/deleting shared scan configurations) Creating AppScan Source users Typically, administrators will have users log in to AppScan Source products with their AppScan Enterprise Server credentials. However, if there is cause for having AppScan Source users that do not exist in the AppScan Enterprise Server, administrators can create local AppScan Source users, according to the instructions in this topic. About this task Users can be created in the AppScan Source for Analysis user interface or in the CLI (see the IBM Security AppScan Source Utilities User Guide to learn about creating users in the CLI). From the AppScan Source for Analysis user interface, you can also set automatic login for AppScan Enterprise Server users (see “Configuring automatic login of AppScan Enterprise Server users” on page 105). To create users in the AppScan Source for Analysis user interface, follow these steps: Procedure 1. Select Admin > Manage Users from the main workbench menu. 2. The Manage Users dialog box lists existing AppScan Source users. Those located in the AppScan Enterprise Server user repository exist locally in the AppScan Source Database and on the AppScan Enterprise Server. Those located in the AppScan Source repository exist only in the AppScan Source Database. When you create a new user from this dialog box, it is created only in the AppScan Source Database. 3. Click Add User to open the Add User dialog box. 4. Type a User ID and then enter a password for the user (twice for confirmation - between 6 and 16 characters). These are required fields. You can also optionally add a user Name (255 characters maximum). 5. Expand the Permissions tree and select the check boxes that identify the user's permissions. 6. Click OK to create the user. 104 IBM Security AppScan Source: Installation and Administration Guide Results Using the settings described in this topic, you can also edit users by selecting the user in the Manage Users dialog box and clicking Edit User. Similarly, you can remove a user by selecting it and clicking Delete User. Note: When you edit AppScan Enterprise Server users from AppScan Source for Analysis, you can only modify their AppScan Source permissions (provided you have Manage AppScan Enterprise Settings permissions). AppScan Enterprise Server authentication: Migration considerations for replacement of the IBM Rational Jazz user authentication component with IBM WebSphere Liberty This topic describes user management-related migration considerations that you may need to consider if you are upgrading from a previous version of AppScan Enterprise Server. v Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan Source Database as AppScan Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan Source users if you follow the instructions in http://www.ibm.com/ support/docview.wss?uid=swg21686347 for enabling that conversion. v Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan Source. v Migrating from an Enterprise Server that was configured with Windows authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan Source, provided the new Enterprise Server Liberty is configured to use Windows authentication. Note: When you migrate from an Enterprise Server that was configured with LDAP or Windows authentication, the existing users will be reassigned with the default permissions that are assigned to AppScan Enterprise Server users. These default permissions are described in “Configuring automatic login of AppScan Enterprise Server users.” Configuring automatic login of AppScan Enterprise Server users By default, AppScan Enterprise Server users can log in to AppScan Source and automatically be added to the AppScan Source Database (these users will be listed as AppScan Enterprise Server users). This feature can be configured in the AppScan Source for Analysis user interface according to the instructions in this topic. Procedure 1. From the AppScan Source for Analysis Admin menu, click Manage Users. 2. In the Manage Users dialog box, click the Configure login for AppScan Enterprise Server users link. 3. The Configure AppScan Enterprise Server User Login dialog box allows you to enable this feature - and set initial permissions for AppScan Enterprise Server users: Chapter 10. Administering AppScan Source 105 v By default, AppScan Enterprise Server users can log in to AppScan Source. To disable this feature, deselect the Permit login by AppScan Enterprise Server users check box. v By default, AppScan Enterprise Server users have these permissions when logging in to AppScan Source: – Register – Scan – View Registered – Manage Attributes – Apply Attributes – Save Assessments Expand the Permissions tree and select the check boxes that identify the appropriate initial settings for AppScan Enterprise Server users. See “User accounts and permissions” on page 103 for a list of all available permissions. 4. Click OK to close the Configure AppScan Enterprise Server User Login dialog box - and then Close the Manage Users dialog box. Results The first time an AppScan Enterprise Server user logs in to AppScan Source, an AppScan Source user account will be created with the same authentication credentials that are used for logging in to the AppScan Enterprise Server. After the account is created, you can modify it (for example, modify its permissions). If you disable this feature, AppScan Enterprise Server users will need to be created manually by following the instructions in “Creating AppScan Source users” on page 104. Creating local product administrator users in AppScan Enterprise Server Liberty As of AppScan Enterprise Server Version 9.0.1, you have the ability to create a local product administrator user in AppScan Enterprise Server Liberty in order to administer AppScan Source. After the user is created, the AppScan Source Database must be registered with AppScan Enterprise Server using the administrator credentials. To learn how to create a local product administrator user in AppScan Enterprise Server Liberty, follow the instructions in the appropriate topic: v “Creating a local product administrator user for an AppScan Enterprise Server that is configured with LDAP” v “Creating a local product administrator user for an AppScan Enterprise Server that is configured with Windows authentication” on page 107 Creating a local product administrator user for an AppScan Enterprise Server that is configured with LDAP Procedure 1. Locate the server.xml file. On Windows, this file is located in the Liberty\usr\servers\ase folder in your AppScan Enterprise Server installation directory. On Linux, this file is located in the Liberty/usr/servers/ase folder in your AppScan Enterprise Server installation directory. Edit this file as follows: 106 IBM Security AppScan Source: Installation and Administration Guide a. Change the value of product.admins to be the name of the administrator user - for example, ADMIN: b. Remove the existing LDAP tag section and add a basicRegistry section. For example, remove this section: And add this section (this sample uses ADMIN as an example password): Note: The administrator password can be encrypted by following the instructions in “Encrypting the administrator password” on page 108. In this case, specify the generated encrypted password in this section. 2. Save the file and restart the ase service: v On Linux, issue the /etc/init.d/ase_liberty restart command. v On Windows, complete one of these tasks: – Choose Run in the Windows Start menu and then type services.msc. When the Services window opens, right-click IBM Security AppScan Enterprise Server and choose Restart. – In a command prompt, change directory to the Liberty\bin folder in your AppScan Enterprise Server installation directory. Issue the server stop ase command - and then issue server start ase. 3. Register the AppScan Source Database with AppScan Enterprise Server using the newly-created ADMIN credentials. Creating a local product administrator user for an AppScan Enterprise Server that is configured with Windows authentication Procedure 1. Locate the server.xml file. On Windows, this file is located in the Liberty\usr\servers\ase folder in your AppScan Enterprise Server installation directory. On Linux, this file is located in the Liberty/usr/servers/ase folder in your AppScan Enterprise Server installation directory. Edit this file as follows: a. Remove this line: usr:WindowsRegistryFeature b. Change the value of product.admins to be the name of the administrator user - for example, ADMIN: c. Add this before at the end of the file (this sample uses ADMIN as an example password): Chapter 10. Administering AppScan Source 107 Note: The administrator password can be encrypted by following the instructions in “Encrypting the administrator password.” In this case, specify the generated encrypted password in this section. 2. Save the file and restart the ase service: v On Linux, issue the /etc/init.d/ase_liberty restart command. v On Windows, complete one of these tasks: – Choose Run in the Windows Start menu and then type services.msc. When the Services window opens, right-click IBM Security AppScan Enterprise Server and choose Restart. – In a command prompt, change directory to the Liberty\bin folder in your AppScan Enterprise Server installation directory. Issue the server stop ase command - and then issue server start ase. 3. Register the AppScan Source Database with AppScan Enterprise Server using the newly-created ADMIN credentials. Encrypting the administrator password When creating a local product administrator user for an AppScan Enterprise Server, you add the administrator user and password to the server.xml file. You can encrypt that password by following the instructions in this topic. When you edit the server.xml file (by following the instructions in “Creating a local product administrator user for an AppScan Enterprise Server that is configured with LDAP” on page 106 or “Creating a local product administrator user for an AppScan Enterprise Server that is configured with Windows authentication” on page 107), you can use the securityUtility tool to encode the password for the administrator user. On Windows, the tool is located in Liberty\bin in the AppScan Enterprise Server installation directory. On Linux, the tool is located in Liberty/bin. When you run the securityUtility encode command, you either supply the password to encode as an input from the command line or, if no arguments are specified, the tool prompts you for the password. The tool then outputs the encoded value. For example, to encode a password value of ADMIN, issue the securityUtility encode ADMIN command. this should generate an output value of {xor}HhsSFhE=. Copy the value that is generated by the tool, and use that value for the password when adding the basicRegistry section to the server.xml file. For example, add this to the file: Creating a user account for the Automation Server A user account is required for Automation Server use. This user account must be registered with the Automation Server during installation or by command line post-installation. A corresponding AppScan Source user account must also then be created manually post-installation with AppScan Source for Analysis or the AppScan Source command line interface (CLI). This topic describes creating this account using AppScan Source for Analysis. Procedure 1. Follow the instructions in “Creating AppScan Source users” on page 104 for creating a new user - or enable the automatic creation of AppScan Enterprise Server users (see “Configuring automatic login of AppScan Enterprise Server users” on page 105). 108 IBM Security AppScan Source: Installation and Administration Guide 2. Ensure that any users that will use the Automation Server have the same user name and password that was specified for Automation Server login. Other settings, such as permission, can be set according to your needs. Chapter 10. Administering AppScan Source 109 110 IBM Security AppScan Source: Installation and Administration Guide Chapter 11. Auditing user activity AppScan Source offers a convenient location for auditing user activity. The Audit view logs events such as authentication to the AppScan Enterprise Server, the creation of new users, and the creation of new rules in the database. To open the Audit view, select Admin > Audit from the main menu. Note: You must have Manage Users permission to use the Audit view. Opening the view without appropriate permission will result in an error. To learn about AppScan Source permissions, see “User accounts and permissions” on page 103. © Copyright IBM Corp. 2003, 2014 111 112 IBM Security AppScan Source: Installation and Administration Guide Chapter 12. Logging in to AppScan Enterprise Server from AppScan Source products Most AppScan Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. When you launch AppScan Source for Analysis, you are prompted to log in. If you are running AppScan Source for Development in server mode, you are prompted to log in when you first initiate an action that needs access to the server, such as launching a scan, or viewing scan configurations. In AppScan Source for Analysis, when logging in, you are prompted for: v User ID: Specify your user ID (depending on how your account was set up, this is a user ID that exists both on the AppScan Enterprise Server and in the AppScan Source Database - or it is a user ID that exists only in the AppScan Source Database). If your AppScan Enterprise Server uses Windows authentication, you must include the Windows domain name - for example MyWindowsDomain\username. v Password: Specify the password for your user ID. v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance. In AppScan Source for Development, when logging in, you are prompted for: v Server URL: Specify the URL for your AppScan Enterprise Server instance. v User ID: Specify your user ID (depending on how your account was set up, this is a user ID that exists both on the AppScan Enterprise Server and in the AppScan Source Database - or it is a user ID that exists only in the AppScan Source Database). If your AppScan Enterprise Server uses Windows authentication, you must include the Windows domain name - for example MyWindowsDomain\username. v Password: Specify the password for your user ID. Login actions are also required when running AppScan Source for Automation or the AppScan Source command line interface (CLI). See the IBM Security AppScan Source Utilities User Guide for more information. To learn about AppScan Enterprise Server SSL certificates, see “AppScan Enterprise Server SSL certificates” on page 114. Changing AppScan Source user passwords To be able to change an AppScan Source user password, you must have Manage Users permissions and the change must be made in AppScan Source for Analysis. If you do not have this permission, have your administrator change your password for you, following the instructions in this topic. If your AppScan Enterprise Server is configured to use LDAP authentication or Windows authentication, this topic does not apply. © Copyright IBM Corp. 2003, 2014 113 Procedure 1. In AppScan Source for Analysis, select Admin > Manage Users from the main workbench menu. 2. The Manage Users dialog box lists existing AppScan Source users. To change the password for one of these users, edit the user information by completing one of these tasks: v Double-click the user. v Right-click the user and choose Edit User. v Select the user and click the Edit User button. Note: You cannot change the password of an AppScan Enterprise Server user from AppScan Source. 3. In the Edit User dialog box, enter a new password and then type the password again in the Confirm Password field. 4. Click OK to change the password. AppScan Enterprise Server SSL certificates When the AppScan Enterprise Server is installed, it should be configured to use a valid SSL certificate. If this is not done, you will receive an untrusted connection message when logging in to the server from AppScan Source for Analysis or the AppScan Source command line interface (CLI) - or AppScan Source for Development on Windows and Linux. SSL certificate storage location Certificates that have been permanently accepted are stored in \config\cacertspersonal and \config\cacertspersonal.pem (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55). Remove these two files if you no longer want the certificates permanently stored. AppScan Source for Automation and SSL certificate validation By default, certificates are automatically accepted when using AppScan Source for Automation. This behavior is determined by the ounceautod_accept_ssl setting in the Automation Server configuration file (\config\ ounceautod.ozsettings (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55)). If this setting is edited so that value="true" is set to value="false", SSL validation will be attempted and logging in or publishing to AppScan Enterprise Console will fail with error if an invalid certificate is encountered. AppScan Source command line interface (CLI) and SSL certificate validation By default, when using the CLI login command, SSL validation will be attempted and logging in or publishing to AppScan Enterprise Console will fail with error if an invalid certificate is encountered (if you have not already permanently accepted the certificate while logging in via another AppScan Source client product). This behavior can be modified by using the option -acceptssl parameter when issuing the login command. When this parameter is used, SSL certificates are automatically accepted. 114 IBM Security AppScan Source: Installation and Administration Guide Chapter 13. LDAP integration To add an AppScan Source user that will be authenticated via LDAP, you must have configured the AppScan Enterprise Server user repository to use an LDAP repository. For information about configuring the AppScan Enterprise Server user repository to use an LDAP repository, refer to the AppScan Enterprise Planning & Installation Guide or to the AppScan Enterprise Server user assistance at IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SSW2NF/welcome). If you are using LDAP authentication and want to add an AppScan Source user that is not part of an LDAP user group, create the user locally in the AppScan Source user repository by selecting the Store user in AppScan Source repository check box in the Add User dialog box. See “Creating AppScan Source users” on page 104 for user creation instructions. © Copyright IBM Corp. 2003, 2014 115 116 IBM Security AppScan Source: Installation and Administration Guide Chapter 14. Registering applications and projects for publishing to AppScan Source Registering applications/projects and publishing assessments results, enables the sharing of critical security data across the team (assessments are published to the AppScan Source Database). Users with the appropriate privileges and permissions can access these assessment results through AppScan Source for Analysis. In some deployments, registering applications and projects, as well as publishing assessment results, is an administrative task. In other deployments, these are Project Lead/Security Analyst tasks. It is recommended that you limit permissions to only those who need to perform these tasks. © Copyright IBM Corp. 2003, 2014 117 118 IBM Security AppScan Source: Installation and Administration Guide Chapter 15. AppScan Source application and project files AppScan Source applications and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. It is recommended that these files reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system. When you use supported build integration tools (for example, Ounce/Ant or Ounce/Maven) to generate AppScan Source applications and project files, it is recommended that you update these files in source control as part of your build automation, to facilitate sharing them across the development team. When a developer updates the local view of the files in source control, the AppScan Source application and project files update as well. This ensures that the entire team is working with a consistent set of files. Applications and projects created in AppScan Source for Analysis have a .paf and .ppf extension respectively. These files are generated when you manually create and configure an application or project in the AppScan Source for Analysis user interface or via supported AppScan Source utilities. On Windows, when you import Microsoft solutions and projects into AppScan Source for Analysis, files with .sln.gaf and .sln.gpf extensions are created for them. On OS X, When you import Xcode directories and projects into AppScan Source for Analysis, files with .xcodeproj.gaf and .xcodeproj.gpf extensions are created for them. Similarly, when you import an Xcode workspace, a file with an .xcworkspace.gaf extension is created. Note: When an Eclipse Importer runs on an Eclipse or Rational Application Developer for WebSphere Software (RAD) workspace, AppScan Source creates intermediate files with .ewf and .epf extensions. These files are required for the initial import into AppScan Source for Analysis and for future scans. Important: If you are working with an AppScan Source project that has dependencies in a development environment (for example, an IBM Worklight project), ensure that you build the project in the development environment before importing it. After importing the project, if you modify files in it, be sure to rebuild it in the development environment before scanning in AppScan Source (if you do not do this, modifications made to files will be ignored by AppScan Source). Table 3. AppScan Source files AppScan Source File Extension Description ppf v AppScan Source project file v Generated when you create a project with AppScan Source for Analysis or supported AppScan Source utilities v User-named © Copyright IBM Corp. 2003, 2014 119 Table 3. AppScan Source files (continued) AppScan Source File Extension Description paf v AppScan Source application file v Generated when you create an application with AppScan Source for Analysis or supported AppScan Source utilities v User-named sln.gaf v AppScan Source application file that is generated when you import Microsoft solutions v Used to hold custom application information such as exclusions and bundles v Adopts the name of the imported workspace or solution. For example: d:\my_apps\myapp.sln d:\my_apps\myapp.sln.gaf vcproj.gpf v AppScan Source project file that is generated when you import Microsoft projects v Used to hold custom project information such patterns and exclusions v Adopts the name of the imported project: For example: d:\my_projects\myproject.vcproj d:\my_projects\myproject.vcproj.gpf .xcodeproj.gaf v AppScan Source application file that is generated when you import Xcode directories v Used to hold custom application information such as exclusions and bundles v Adopts the name of the imported workspace or solution. For example: /Users/myUser/myProject.xcodeproj /Users/myUser/myProject.xcodeproj.gaf .xcodeproj.gpf v AppScan Source project file that is generated when you import Xcode projects v Used to hold custom project information such patterns and exclusions v Adopts the name of the imported project: For example: /Users/myUser/myProject.xcodeproj /Users/myUser/myProject.xcodeproj.gpf 120 IBM Security AppScan Source: Installation and Administration Guide Table 3. AppScan Source files (continued) AppScan Source File Extension Description .xcworkspace.gaf v AppScan Source application file that is generated when you import an Xcode workspace v Used to hold custom application information such as exclusions and bundles v Adopts the name of the imported workspace. For example: /Users/myUser/myProj.xcworkspace.gaf ewf v Eclipse workspace file v Produced when you import an Eclipse workspace into AppScan Source v The Eclipse exporter creates the file based on information in the Eclipse workspace AppScan Source then imports the file epf v Eclipse project file v Produced when an Eclipse project is imported into AppScan Source v The Eclipse exporter creates the file based on information in the Eclipse project AppScan Source then imports the file Chapter 15. AppScan Source application and project files 121 122 IBM Security AppScan Source: Installation and Administration Guide Chapter 16. Port configuration Deployment of AppScan Source products requires that certain ports be open on the computers where those components are installed. The tables in “Default open ports” provide information about port usage. Each port is configurable. Default open ports Default open ports for remote communication Port Components Protocol 443 and 9443 AppScan Enterprise Server HTTPS 2315 IBM solidDB solidDB Default open ports for local host access Port Components Protocol 443 and 9443 AppScan Enterprise Server HTTPS 13194-13294 AppScan Source for Analysis IIOP (only uses one port in this range) 13205 AppScan Source for Automation IIOP License server ports The Rational License Key Server is used for serving floating licenses to AppScan Source. To make use of AppScan Source floating licenses through a firewall or from another network, some manual configuration is required. You will need to configure License Manager ports for the lmgrd and ibmratl vendor daemons on the Rational License Key Server - and then open/forward both ports in addition to the AppScan Source ports. Refer to the Rational License Key Server documentation for more information. By default, the lmgrd port is 27000 and the ibmratl vendor daemon port is allocated dynamically. Port forwarding configuration To operate in a port forwarding environment, you must make configuration changes to the AppScan Source system properties. For detailed instructions for changing the appropriate settings, contact your IBM support representative. Changing the IBM solidDB port About this task To change the solidDB communications port number, access the machine on which you have installed the AppScan Source Database and follow the steps in this topic. © Copyright IBM Corp. 2003, 2014 123 Important: If you change the solidDB port, you must run the appscanserverdbmgr tool to register the updated database location with the server. See “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 for information about this tool. Procedure 1. Open \solidDB\appscansrc\solid.ini (on Windows) or /soliddb/appscansrc/solid.ini (on Linux) (where is the location of your AppScan Source installation). In the file, locate the NETWORK NAME setting and change its port number value. For example if you have installed the database on Windows and want to change its port number to 12345, find Listen=tcpip 2315, nmpipe SOLID ; Windows (the default value of the setting on Windows) and change it to Listen=tcpip 12345, nmpipe SOLID ; Windows. Save the changes to the file. 2. Open \config\database.ozsettings (on Windows) or /config/database.ozsettings (on Linux) (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55). In the file, locate the db_connection_information setting and change its port number value. For example if you want to change the port number to 12345, find value="tcp localhost 2315" and change it to value="tcp localhost 12345". Save the changes to the file. 3. Restart the IBM Security AppScan Source DB service. 124 IBM Security AppScan Source: Installation and Administration Guide Chapter 17. Changing IBM solidDB user passwords after installation If you install the IBM solidDB database during the product installation, you must configure solidDB user and administrative user credentials. By default, the settings for the solidDB user are user name ounce and password ounce. The default database administrator user name and password are both dba. About this task To change the password for either of these two user accounts, follow the steps in this topic. Important: If you change the solidDB port, you must run the appscanserverdbmgr tool to register the updated database location with the server. See “Registering the AppScan Source Database with AppScan Enterprise Server” on page 69 for information about this tool. Procedure 1. At a command prompt, change directory to \solidDB\bin (where is the location of your AppScan Source installation). 2. Issue the command solsql.exe "tcp 2315" (on Windows) or solsql "tcp 2315" (on Linux). 3. When prompted for a Username, enter the currently-configured solidDB administrative username. By default, this is dba. 4. When prompted for a Password, enter the currently-configured solidDB administrative password. By default, this is dba. 5. Issue the command alter user identified by ;. In this command: v is the solidDB user whose password you want to change. You can change the solidDB user password or you can change the solidDB administrative user password. v is the new password that you want to set for . For example, to change the default administrative user password to newpassword123, issue the command alter user dba identified by newpassword123;. 6. To complete the password change for the solidDB user, issue the command commit work; and then issue the command exit;. 7. Optional: This step is only required if you have changed the solidDB user password. Do not complete this step for a change to the solidDB administrative user password. After changing the solidDB user password, you will need to change the password that is registered with the AppScan Source Database: a. Open a command prompt and change directory to \bin (where is the location of your AppScan Source installation). b. On Windows, issue the command OunceServer.exe -a . On Linux, issue the command ounceserverd -a . For both, is the new password that was specified when changing the solidDB user password in the above steps. © Copyright IBM Corp. 2003, 2014 125 126 IBM Security AppScan Source: Installation and Administration Guide Chapter 18. AppScan Source predefined filters (Version 8.7.x and earlier) This topic lists predefined filters that were included in AppScan Source Version 8.7.x and earlier. If you need to access these filters, follow the instructions in Chapter 19, “Restoring archived predefined filters,” on page 129. ! - The Vital Few This filter matches findings from some of the most dangerous vulnerability categories. Only findings which originate in an external network communications source are included. This filter provides a laser-focused starting point for high risk findings. The specific categories which are included in this filter are: Vulnerability.BufferOverflow Vulnerability.BufferOverflow.FormatString Vulnerability.PathTraversal Vulnerability.CrossSiteScripting Vulnerability.CrossSiteScripting.Reflected Vulnerability.CrossSiteScripting.Stored Vulnerability.Injection Vulnerability.Injection.LDAP Vulnerability.Injection.SQL Vulnerability.Injection.OS Vulnerability.Injection.XML Vulnerability.Injection.XPath High Priority - External Communications This filter matches findings which originate from outside the application and across a network. This filter matches findings which originate at any Technology.Communications source. High Priority - Important Types This filter contains findings from some of the most dangerous vulnerability categories, such as CrossSiteScripting and Injection.SQL. The specific categories which are included in this filter are: Vulnerability.AppDOS Vulnerability.Authentication.Credentials.Unprotected Vulnerability.Authentication.Entity Vulnerability.BufferOverflow Vulnerability.BufferOverflow.FormatString Vulnerability.CrossSiteScripting Vulnerability.CrossSiteScripting.Reflected Vulnerability.CrossSiteScripting.Stored Vulnerability.Injection Vulnerability.Injection.LDAP Vulnerability.Injection.OS Vulnerability.Injection.SQL Vulnerability.Injection.XML Vulnerability.Injection.XPath Vulnerability.PathTraversal © Copyright IBM Corp. 2003, 2014 127 Low Priority - Test Code This filter contains findings from test code. Specific types in this filter include: Vulnerability.Quality.TestCode Noise - Copy-like Operations This filter contains findings that are concerned with copy-like operations. A copy-like operation occurs when data is taken from a source which may or may not be trusted, but actions performed on the data are trusted. These patterns are looked for: Technology.Database --> Vulnerability.Injection.SQL Mechanism.SessionManagement --> Mechanism.SessionManagement Technology.XML, Technology.XML.DOM, Technology.XML.Schema, Technology.XML.XPath --> Vulnerability.AppDOS.XML, Vulnerability.Injection.XML Noise - Logging Issues This filter contains findings related to error handling. The findings found emanate from an error handling routine to a logging mechanism. This pattern is matched: Mechanism.ErrorHandling --> Vulnerability.Logging, Vulnerability.Logging.Forge, Vulnerability.Logging.Required Noise - Low Severity This filter contains findings with a severity of Low. All classifications are included. Noise - Trusted Source This filter contains findings that emanate from a trusted source. Only findings that have java.lang.System.getProperty.* as their source are included in this filter. 128 IBM Security AppScan Source: Installation and Administration Guide Chapter 19. Restoring archived predefined filters Predefined filters that were provided in AppScan Source prior to Version 8.8 can be added back to the product by following the steps in this task. Once restored on a single machine, they can be managed in the same manner as filters that you create (for example, they can be shared to multiple clients). About this task Archived predefined filters are located in \archive\filters (where is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 55). Procedure 1. In \archive\filters, locate the filter or filters that you want to restore (AppScan Source filters have a .off file extension). 2. Copy the filter or filters to \scanner_filters. 3. Restart AppScan Source. What to do next To learn how to manage filters (including archived filters that you have restored), see Chapter 20, “Creating and managing filters in the Filter Editor view,” on page 131. © Copyright IBM Corp. 2003, 2014 129 130 IBM Security AppScan Source: Installation and Administration Guide Chapter 20. Creating and managing filters in the Filter Editor view In this view, you can create, edit, save, delete, and manage filters. If you are using AppScan Source for Analysis, you can share filters and access filters that have been shared by others. In AppScan Source for Development, you can access shared filters if you are using server mode and logged in to the AppScan Enterprise Server. Procedure 1. In the Chapter 21, “Filter Editor view,” on page 133 toolbar, click New. The new filter name is Untitled<-number> (where the first new untitled filter is Untitled and the next new untitled filter is Untitled-1, and so on). Note: In AppScan Source for Development (Visual Studio plug-in), this view is part of the Edit Filters window. 2. Expand the categories and select the criteria that you want for the filter. 3. Click Save or Save As. 4. Name the filter and click OK. The new filter name replaces Untitled<-number> in the list of filters. What to do next To apply the filter, select it in the Filter Editor view drop down menu. Note: Filters that are applied outside of the Vulnerability Matrix view may not affect the Vulnerability Matrix view. The Vulnerability Matrix view Show the counts of filtered findings toolbar button must be selected for the filter to be reflected in the Vulnerability Matrix view. Filters can be managed directly in the Filter Editor view by selecting the filter in the list and then working with it - or you can click Manage Filters to open the Manage Filters dialog box, which provides a list of saved filters. v Modifying filters: Select the filter in the Filter Editor view or in the Manage Filters dialog box and then modify its filter rules and save the changes. Note: Built-in filters cannot be modified or deleted. v Deleting filters: Select the filter in the Filter Editor view or in the Manage Filters dialog box and then click Delete. In the Manage Filters dialog box, you can select multiple filters and click Delete to remove them at the same time. v Creating a filter from another filter: You can modify a filter and then click Save As to save it as a filter with a new name. This allows you to create a new filter by building on the settings of an existing filter. You can do this in both the Filter Editor view and the Manage Filters dialog box. Tip: The same thing can be accomplished by opening a filter and using the Save As action to save it with a new name. You can then open the new filter and modify it. By choosing this method, you can create a new filter from one of the built-in filters. © Copyright IBM Corp. 2003, 2014 131 v Reverting filter settings: If you modify the properties of a filter and want to undo those changes, click Revert to return the filter to its last saved settings. This action can be performed in both the Filter Editor view and the Manage Filters dialog box. In the dialog box, if you have multiple filters with unsaved changes, clicking Revert will cause all selected filters with unsaved changes to be reverted back to their saved settings. v Sharing filters (AppScan Source for Analysis only): To create a shared filter, open a filter in the Filter Editor and click Share Filter on the Filter Editor view toolbar. Note: To modify, delete, or create shared filters, you must have must have Manage Shared Filters permission. To learn about setting permissions, see the IBM Security AppScan Source Installation and Administration Guide. 132 IBM Security AppScan Source: Installation and Administration Guide Chapter 21. Filter Editor view The Filter Editor view provides a more granular manipulation of the currently selected filter than other AppScan Source views. This view consists of all criteria on which you can filter. Note: In AppScan Source for Development (Visual Studio plug-in), this view is part of the Edit Filters window. Tip: In the Filter Editor view Trace section, hovering over a trace entry provides details about the entry. © Copyright IBM Corp. 2003, 2014 133 134 IBM Security AppScan Source: Installation and Administration Guide Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law : INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. © Copyright IBM Corp. 2003, 2014 135 IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to 136 IBM Security AppScan Source: Installation and Administration Guide IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: © (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Notices 137 Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. 138 IBM Security AppScan Source: Installation and Administration Guide Index A activate 97 application defined 6 AppScan Enterprise Server change password 114 SSL certificate 114 AppScan Source accessibility issues 15 AppScan Enterprise Server login 113 change password 114 SSL certificate 114 for Analysis 1 concepts 6 for Automation 1 for Development 1 product family 1 AppScan Source files epf 119 ewf 119 gaf 119 gpf 119 paf 119 ppf 119 AppScan Source for Automation 79 installing 79 syntax 81 AppScan Source for Development plug-in 75 AppScan Source Installation Wizard 53 AppScan Source products 1 AppScan Source Security Knowledgebase 1 AppScan Source solidDB 70, 71 assessment 6 attributes defined 6 common installation scenarios (continued) migrate Rational AppScan Source Edition Version 8.0.x or earlier to Version 8.6.x 44 create filter filter editor 131 creating local product ADMIN users in AppScan Enterprise Server Liberty encrypted password 108 creating local product administrator users in AppScan Enterprise Server Liberty 106 LDAP 106 Windows authentication 107 custom installation 85 Custom Installation Wizard 85, 87, 91, 92 installation (continued) Visual Studio Plug-in 78 installing AppScan Enterprise Server 58, 59 AppScan Source fix pack 81 AppScan Source Database 59 register 69 AppScan Source for Automation 79 AppScan Source for Development plug-in for Eclipse 75 change IBM solidDB password 125 change IBM solidDB port 123 OS X 71 to an existing Oracle database 63 Internet Protocol Version 6 14 IPv6 14 D J default installation directory 20, 54, 55 deployment 8, 89, 95 enterprise workgroup 12 small workgroup 10 standard desktop 9 JRE version 1.5 requirement F B Federal Information Processing Standard 14 filter create in Filter Editor view 131 predefined archive 127 access 129 shared 131 Filter Editor view 133 findings classification 7 FIPS 14 backing up the AppScan Source database 70 bundles 6 I C classification definitive 7 scan coverage 7 suspect 7 command line custom installation 88, 94 ounceautod 79 common installation scenarios 23 install all components on one machine 24 install AppScan Source components in a multi-machine environment 30 integrate with existing AppScan Enterprise Server 39 © Copyright IBM Corp. 2003, 2014 installation AppScan Source for Development AppScan Source for Development plug-in for Visual Studio 78 configurations 103 custom 85 data location 20, 55 changing 56 Developer Plug-in 76, 78 Eclipse plug-in 74, 77 file location 20, 55 Linux server 87, 92 Microsoft Windows 54 setup.bin 53 setup.bin.gz 53 setup.exe 53 silent 85, 91 74, 77 K Knowledgebase 1 L LDAP 115 License Manager 97 license floating 98 import 97 viewing 99 Linux Eclipse plug-in installation setup.sh 54, 75 uninstall 101 Linux installation setup.bin.gz 53 74, 77 M 74 managing users 104 automatic login of AppScan Enterprise Server users 105 Automation Server user 108 Microsoft Windows 17 uninstall 101 Migrating 4 N National Institute of Standards and Technology 14 NIST 14 139 O OCI libraries 67 Oracle 70 Oracle Client libraries. 67 OS X uninstall 101 OUNCE_CONFIG_FILE 86, 88, 91, 94 Ounce/Ant 119 Ounce/Make 119 Ounce/Maven Plug-in 119 ounceautod 79 P password 104 permissions 103, 104 ports 123 default 123 forwarding 123 products 1 projects defined 6 R registering applications and projects restoring the AppScan Source database 71 117 S setup.sh 54, 75 shared filter 131 silent installation 85, 91 system requirements 17 systems supported in Visual Studio 78 U uninstall 101 user audit 111 user account 103 migrate Liberty user name 104 105 V views Filter Editor 133 Visual Studio systems supported vulnerability definition 6 78 W What's New 2 workflow 7 140 IBM Security AppScan Source: Installation and Administration Guide Printed in USA

Ibm Security Appscan Source: Installation And Administration Guide

Rating

Date

Size

Views

Categories

Share

Transcript