ibm security appscan source: installation and administration guide

IBM Security AppScan SourceVersion 9.0.0.1

Installation and Administration Guide

��

(C) Copyright IBM Corp. and its licensors 2003, 2014. All Rights Reserved.

IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registeredtrademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and servicenames might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright andtrademark information at http://www.ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in theUnited States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United Statesand other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or itsaffiliates.

This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte RustyHarold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in theNotices file that accompanied this program.

http://www.ibm.com/legal/copytrade.shtml

Contents

Chapter 1. Introduction to IBM SecurityAppScan Source . . . . . . . . . . . 1What's New in AppScan Source . . . . . . . . 2

What's New in AppScan Source Version 9.0.0.1 . . 2What's New in AppScan Source Version 9.0 . . . 2

Migrating to AppScan Source Version 9.0 fromVersion 8.7 . . . . . . . . . . . . . . . 4Important concepts . . . . . . . . . . . . 6

Classifications . . . . . . . . . . . . . 7Workflow . . . . . . . . . . . . . . 7

AppScan Source deployment models . . . . . . 8Standard desktop deployment . . . . . . . 9Small workgroup deployment . . . . . . . 11Enterprise workgroup deployment . . . . . 12

United States government regulation compliance . . 14AppScan Source and accessibility . . . . . . . 15

Chapter 2. System requirements andinstallation prerequisites . . . . . . . 17AppScan Source language support. . . . . . . 17AppScan Source for Analysis and AppScan Sourcefor Development (Eclipse plug-in) componentprerequisite on Linux . . . . . . . . . . . 18

Chapter 3. Sample installationscenarios . . . . . . . . . . . . . 21Installing all required components on one machine 22

Installing IBM Rational License Server . . . . 22Installing IBM Security AppScan EnterpriseServer . . . . . . . . . . . . . . . 23Installing AppScan Source . . . . . . . . 25Logging into AppScan Source . . . . . . . 29

Installing AppScan Source components in amulti-machine environment . . . . . . . . . 30

Installing IBM Rational License Server onMachine A. . . . . . . . . . . . . . 30Installing IBM Security AppScan EnterpriseServer on Machine B . . . . . . . . . . 31Installing AppScan Source client products onMachine C. . . . . . . . . . . . . . 33Installing the AppScan Source Database onMachine D . . . . . . . . . . . . . 36Logging into AppScan Source . . . . . . . 39

Installing AppScan Source and integrating it with anexisting AppScan Enterprise Server . . . . . . 40

Installing AppScan Source . . . . . . . . 40Logging into AppScan Source . . . . . . . 44

Upgrading AppScan Source . . . . . . . . . 44Migrating Rational AppScan Source Edition Version8.0.x or earlier to Version 8.6.x . . . . . . . . 48

Installing IBM Rational License Server . . . . 48Installing Rational AppScan Enterprise Server . . 49Upgrading Rational AppScan Source Edition . . 51Logging into Rational AppScan Source Edition 53

Chapter 4. Advanced installation andactivation topics . . . . . . . . . . 55Starting the installation wizard . . . . . . . . 56Installation and user data file locations . . . . . 57

Changing the AppScan Source data directory . . 58AppScan Enterprise Server overview . . . . . . 59Installing the database and configuring connectionsto AppScan Enterprise Server . . . . . . . . 60

Install and configure IBM solidDB . . . . . . 61Install to an existing Oracle database . . . . . 65Registering the AppScan Source Database withAppScan Enterprise Server . . . . . . . . 70Backing up the AppScan Source Database . . . 72Restoring the AppScan Source IBM solidDBdatabase . . . . . . . . . . . . . . 73

Installing AppScan Source on OS X . . . . . . 73Installing AppScan Source for Development . . . 76

AppScan Source for Development (plug-in forEclipse, IBM Worklight, and Rational ApplicationDeveloper for WebSphere Software (RAD)) . . . 76Installing the AppScan Source for Developmentplug-in for Visual Studio . . . . . . . . . 81

Installing AppScan Source for Automation . . . . 82Syntax . . . . . . . . . . . . . . . 83

Fix pack installation . . . . . . . . . . . 84

Chapter 5. Customizing the AppScanSource installation . . . . . . . . . 87Creating a custom or silent installation . . . . . 87

Launching the Installation Configuration Wizard 88Using the Custom Installation ConfigurationWizard . . . . . . . . . . . . . . . 88

Running a custom or silent installation . . . . . 90Example: Install AppScan Source through a custominstallation . . . . . . . . . . . . . . 91

Chapter 6. AppScan Source silentinstallers . . . . . . . . . . . . . . 93Creating a custom or silent installation . . . . . 93

Launching the Installation Configuration Wizard 93Using the Custom Installation ConfigurationWizard . . . . . . . . . . . . . . . 94

Running a custom or silent installation . . . . . 96Example: Install AppScan Source silently through anInstallation Framework . . . . . . . . . . 97

Chapter 7. Activating the software . . . 99Importing a license file . . . . . . . . . . 99Using a floating license . . . . . . . . . . 100Viewing licenses . . . . . . . . . . . . 101

Chapter 8. Removing AppScan Sourcefrom your system . . . . . . . . . 103Removing from Microsoft Windows platforms . . 103

© Copyright IBM Corp. 2003, 2014 iii

Removing from Linux platforms . . . . . . . 103Removing from OS X platforms . . . . . . . 103

Chapter 9. Administering AppScanSource . . . . . . . . . . . . . . 105User accounts and permissions . . . . . . . 105Creating AppScan Source users . . . . . . . 106

Configuring automatic login of AppScanEnterprise Server users . . . . . . . . . 107Requirements for creating AppScan EnterpriseServer users . . . . . . . . . . . . . 108Creating a user account for the AutomationServer . . . . . . . . . . . . . . . 108Migrating Rational AppScan Source Edition forCore users to AppScan Enterprise Server . . . 109

Auditing user activity . . . . . . . . . . 109Logging in to AppScan Enterprise Server fromAppScan Source products . . . . . . . . . 110

Changing your password . . . . . . . . 110AppScan Enterprise Server SSL certificates. . . 111

LDAP integration . . . . . . . . . . . . 111Registering applications and projects for publishingto AppScan Source . . . . . . . . . . . 112AppScan Source application and project files . . . 112Port configuration . . . . . . . . . . . . 114

Default open ports. . . . . . . . . . . 114Port forwarding configuration . . . . . . . 115Changing the IBM solidDB port . . . . . . 115

Changing IBM solidDB user passwords afterinstallation . . . . . . . . . . . . . . 116

Legal notices . . . . . . . . . . . 121

Index . . . . . . . . . . . . . . . 125

iv IBM Security AppScan Source: Installation and Administration Guide

Chapter 1. Introduction to IBM Security AppScan Source

IBM® Security AppScan® Source delivers maximum value to every user in yourorganization who plays a role in software security. Whether a security analyst,quality assurance professional, developer, or executive, the AppScan Sourceproducts deliver the functionality, flexibility, and power you need - right to yourdesktop.

The product set includes:v AppScan Source for Analysis: Workbench to configure applications and

projects, scan code, analyze, triage, and take action on priority vulnerabilities.v AppScan Source for Automation: Allows you to automate key aspects of the

AppScan Source workflow and integrate security with build environmentsduring the software development life cycle.

v AppScan Source for Development: Developer plug-ins integrate many AppScanSource for Analysis features into Microsoft Visual Studio, the Eclipse workbench,and Rational® Application Developer for WebSphere® Software (RAD). Thisallows software developers to find and take action on vulnerabilities during thedevelopment process. The Eclipse plug-in allows you to scan source code forsecurity vulnerabilities and, optionally, scan for and quality risks as well ascreate quality rule configuration files that enable quality scanning in theAppScan Source command line interface (CLI) and AppScan Source forAutomation. In addition, IBM Worklight® projects can be scanned with theEclipse plug-in.

To enhance the value of AppScan Source within your organization, the productsinclude these components:v AppScan Source Security Knowledgebase: In-context intelligence on each

vulnerability, offering precise descriptions about the root cause, severity of risk,and actionable remediation advice.

v AppScan Enterprise Server: Most AppScan Source products and componentsmust communicate with an AppScan Enterprise Server. Without one, you canuse AppScan Source for Development in local mode - but features such ascustom rules, shared scan configurations, and shared filters will be unavailable.The server provides centralized user management capabilities and a mechanismfor sharing assessments via the AppScan Source Database. The server includesan optional Enterprise Console component. If your administrator installs thiscomponent, you can publish assessments to it from AppScan Source forAnalysis, AppScan Source for Automation, and the AppScan Source commandline interface (CLI). The Enterprise Console offers a variety of tools for workingwith your assessments - such as reporting features, issue management, trendanalysis, and dashboards.

Note:

– AppScan Enterprise Server is not supported on OS X.– If you have a basic server license, the server may only be accessed by up to

ten (10) concurrent connections from AppScan products. With a premiumserver license, unlimited connections are allowed.

© Copyright IBM Corp. 2003, 2014 1

Important: When scanning, AppScan Enterprise Server and AppScan Sourceclients (except AppScan Source for Development) both require a directconnection to the AppScan Source Database (either solidDB® or Oracle).

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

Translated national languages

The AppScan Source user interfaces are available in these languages:v Englishv Brazilian Portuguesev Simplified Chinesev Traditional Chinesev Germanv Spanishv Frenchv Italianv Japanesev Korean

What's New in AppScan SourceThis topic describes new features that have been added to AppScan Source.

What's New in AppScan Source Version 9.0.0.1v “New platform and integration solution support”v “Improved JavaScript Statement Graph”

New platform and integration solution support

As of AppScan Source Version 9.0.0.1:v Visual Studio 2013 project files can be scanned on Windows - and the AppScan

Source for Development (Visual Studio plug-in) can be applied to Visual Studio2013 on Windows.

Improved JavaScript Statement Graph

JavaScript statements in the Trace view now include the section of code that is ofinterest, if available.

What's New in AppScan Source Version 9.0v “New platform and integration solution support” on page 3v “IBM Worklight integration” on page 3v “Using AppScan Source for Development without an AppScan Enterprise

Server” on page 3v “Optional AppScan Source for Development Eclipse plug-in quality component”

on page 4v “Floating license option for AppScan Source for Automation” on page 4v “Enhanced and new scanning support” on page 4

2 IBM Security AppScan Source: Installation and Administration Guide

v “Windows 7 machines that are configured to use the United States GovernmentConfiguration Baseline (USGCB)” on page 4

v “Quality analysis feature deprecation in Version 9.0” on page 4

New platform and integration solution support

As of AppScan Source Version 9.0, these operating systems are supported:v Microsoft Windows 8 Professional and Enterprisev Microsoft Windows 8.1 Professional and Enterprisev Microsoft Windows Server 2012 R2 Datacenter, Standard, and Essentials Editionsv Red Hat Enterprise Linux Version 6 Update 5

In addition:v OS X: The AppScan Source for Development Eclipse plug-in is now supported

on OS X:– Eclipse Versions 3.6, 3.7, 3.8, 4.2, 4.2.x, 4.3, 4.3.1, and 4.3.2 project files and

workspaces (Java™ and IBM Worklight only) can be scanned - and theAppScan Source for Development (Eclipse plug-in) can be applied to theseversions of Eclipse.

– Rational Application Developer for WebSphere Software (RAD) Versions 9.0and 9.0.1 project files and workspaces (Java and IBM Worklight only) can bescanned - and the AppScan Source for Development (Eclipse plug-in) can beapplied to RAD Versions 9.0 and 9.0.1.

– You can now scan an Xcode project from the AppScan Source forDevelopment Eclipse plug-in.

v Windows and Linux: Rational Application Developer for WebSphere Software(RAD) Versions 8.5.5 and 9.0.1 project files and workspaces (Java and IBMWorklight only) can be scanned - and the AppScan Source for Development(Eclipse plug-in) can be applied to RAD Versions 8.5.5 and 9.0.1.

v Eclipse Versions 4.3.1 and 4.3.2 project files and workspaces (Java and IBMWorklight only) can be scanned - and the AppScan Source for Development(Eclipse plug-in) can be applied to these versions of Eclipse.

v Rational Team Concert™ Versions 4.0.5 and 4.0.6 are now supported defecttracking systems.

v Xcode 5.0 for Objective-C (for iOS applications only) is now a supportedcompiler on OS X.

IBM Worklight integration

The AppScan Source for Development Eclipse plug-in now integrates with IBMWorklight. When AppScan Source for Development and IBM Worklight areinstalled to your Eclipse-based environment, you have the option to scan Worklightprojects, applications, environments, and HTML files.

Using AppScan Source for Development without an AppScanEnterprise Server

As of AppScan Source Version 9.0, the AppScan Source for Development plug-inscan be used without AppScan Enterprise Server. In server mode, you connect tothe server to run scans and access shared data, just in previous product versions.In the new local mode, AppScan Source for Development runs without everconnecting to a server - and you cannot access shared items such as filters, scanconfigurations, and custom rules.

Chapter 1. Introduction to IBM Security AppScan Source 3

Important: If you are using a floating license in local mode, you must still have aconnection to the license server to be able to use AppScan Source for Development.

Optional AppScan Source for Development Eclipse plug-inquality component

As of AppScan Source Version 9.0, the AppScan Source for Development Eclipseplug-in quality component is provided as an optional installation.

Floating license option for AppScan Source for Automation

As of AppScan Source Version 9.0, AppScan Source for Automation has a floatinglicense option.

Enhanced and new scanning supportv Performance is now improved when scanning JavaScript.v Android KitKat (4.4) is now supported.v AppScan Source now supports scanning applications that use these application

programming interfaces (API): Worklight, Cordova, HTML5, JQuery, and JQueryMobile.

Windows 7 machines that are configured to use the UnitedStates Government Configuration Baseline (USGCB)

AppScan Source supports scanning applications on Windows 7 machines that areconfigured with the USGCB specification.

Note: On machines that are configured with the USGCB specification, AppScanSource does not support defect tracking system integration with HP Quality Centeror Rational ClearQuest®.

Quality analysis feature deprecation in Version 9.0

The Java and C++ code quality analysis features are deprecated as of AppScanSource Version 9.0. These features can still be used in this version, but will not besupported or available in future versions.

Migrating to AppScan Source Version 9.0 from Version 8.7This topic contains migration information for changes that went into AppScanSource Version 8.8. If you are upgrading AppScan Source Version 8.7 to Version 9.0,refer to this set of migration instructions in addition to the topic that describesmigrating from Version 8.8 to Version 9.0.v “Changes to findings classifications”v “Default settings changes that will improve scan coverage” on page 5v “Restoring AppScan Source predefined filters from previous versions” on page 6

Changes to findings classifications

As of AppScan Source Version 8.8, findings classifications have changed. This tablelists the old classifications mapped to the new classifications:


Table 1. Findings classification changes

Findings classifications prior to AppScanSource Version 8.8

Classifications in AppScan Source Version8.8

Vulnerability Definitive security finding

Type I Exception Suspect security finding

Type II Exception Scan coverage finding

An example of these changes can be seen in the Vulnerability Matrix view.

As of Version 8.8, the view looks like this:

Default settings changes that will improve scan coverage

As of AppScan Source Version 8.8:v The default value of show_informational_findings in scan.ozsettings has

changed from true to false.


v The default value of wafl_globals_tracking in ipva.ozsettings has changedfrom false to true. This setting enables AppScan Source to find dataflowbetween different components of a framework-based application (for example,dataflow from a controller to a view).

The change to show_informational_findings will result in assessments notincluding findings with a severity level of Info by default.

Note: If you have scan configurations that were created prior to Version 8.8 thatdid not explicitly set values for these settings, the scan configurations will now usetheir new default values.

Restoring AppScan Source predefined filters from previousversions

In AppScan Source Version 8.8, predefined filters were improved to provide betterscan results. If you need to continue using the predefined filters from olderversions of AppScan Source (archived filters are listed in “AppScan Sourcepredefined filters (Version 8.7.x and earlier)” on page 116), follow the instructionsin “Restoring archived predefined filters” on page 118.

Important conceptsBefore you begin to use or administer AppScan Source, you should becomefamiliar with fundamental AppScan Source concepts. This section defines basicAppScan Source terminology and concepts. Subsequent chapters repeat thesedefinitions to help you understand their context in AppScan Source for Analysis.

AppScan Source for Analysis scans source code for vulnerabilities and producesfindings. Findings are the vulnerabilities identified during a scan, and the result ofa scan is an assessment. A bundle is a named collection of individual findings and isstored with an application.

Applications, their attributes, and projects are created and organized in AppScanSource for Analysis:v Applications: An application contains one or more projects and their related

attributes.v Projects: A project consists of a set of files (including source code) and their

related information (such as configuration data). A project is always part of anapplication.

v Attributes: An attribute is a characteristic of an application that helps organizethe scan results into meaningful groupings, such as by department or projectleader. You define attributes in AppScan Source for Analysis.

The principal activity of AppScan Source for Analysis is to scan source code andanalyze vulnerabilities. Assessments provide an analysis of source code forvulnerabilities including:v Severity: High, medium, or low, indicating the level of riskv Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer

Overflowv File: Code file in which the finding existsv API/Source: The vulnerable call, showing the API and the arguments passed to

itv Method: Function or method from which the vulnerable call is made


v Location: Line and column number in the code file that contains the vulnerableAPI

v Classification: Security finding or scan coverage finding. For more information,see “Classifications.”

ClassificationsFindings are classified by AppScan Source to indicate whether they are security orscan coverage findings. Security findings represent actual or likely securityvulnerabilities - whereas scan coverage findings represent areas whereconfiguration could be improved to provide better scan coverage.

Each finding falls into one of these classifications:v Definitive security finding: A finding that contains a definitive design,

implementation, or policy violation that presents an opportunity for an attackerto cause the application to operate in an unintended fashion.This attack could result in unauthorized access, theft, or corruption of data,systems, or resources. Every definitive security finding is fully articulated, andthe specific underlying pattern of the vulnerable condition is known anddescribed.

v Suspect security finding: A finding that indicates a suspicious and potentiallyvulnerable condition that requires additional information or investigation. Acode element or structure that can create a vulnerability when used incorrectly.A suspect finding differs from a definitive finding because there is someunknown condition that prevents a conclusive determination of vulnerability.Examples of this uncertainty can be the use of dynamic elements, or of libraryfunctions for which the source code is not available. As a result, there is anadditional level of research that is required to confirm or reject a suspect findingas definitive.

v Scan coverage finding: Findings that represent areas where configuration couldbe improved to provide better scan coverage (for example, lost sink findings).

Note: In some cases, a classification of None may be used to denote aclassification that is neither a security finding nor a scan coverage finding.

Workflow

After installation, deployment, and user management, the AppScan Sourceworkflow consists of these basic steps.1. Set security requirements: A manager or security expert defines vulnerabilities

and how to judge criticality.2. Configure applications: Organize applications and projects.3. Scan: Run the analysis against the target application to identify vulnerabilities.4. Triage and analyze results: Security-minded staff study results to prioritize

remediation workflow and separate real vulnerabilities from potential ones,allowing triage on critical issues to begin immediately. Isolate the issues youneed to fix first.

5. Customize the Knowledgebase: Customize the AppScan Source SecurityKnowledgebase to address internal policies.

6. Publish scan results: Add scan results to the AppScan Source Database orpublish them to the AppScan Enterprise Console.

7. Assign remediation tasks: Assign defects to the development team to resolvevulnerabilities.


8. Resolve issues: Eliminate vulnerabilities by rewriting code, removing flaws, oradding security functions.

9. Verify fixes: The code is scanned again to assure that vulnerabilities areeliminated.

As s ignAppScan Source for Analysis

R emediateAppScan Source for AnalysisAppScan Source for RemediationAppScan Source for Development

TriageAppScan Source for Analysis

S canAppScan Source for AnalysisAppScan Source for AutomationAppScan Source for Development

AppScan Sourcefor Analysis

MonitorEnterprise Console

AppScan Enterprise Server

C onfigure

AppScan Source deployment modelsThis section describes three different deployment models and the components thatcomprise each model.

The AppScan Source products (coupled with the AppScan Enterprise Server)support several deployment options to meet varied organizational requirements.Client and server components comprise the product solution, and each componentserves a specific purpose. Some deployment models require all components whileothers need only a few. Furthermore, some information technology policies requiredeployment of certain server components on separate computers versus allcomponents on one computer.

This section describes three different deployment models:v “Standard desktop deployment” on page 9v “Small workgroup deployment” on page 11v “Enterprise workgroup deployment” on page 12

The deployment that best fits your needs could be a combination of models. Thistable provides a brief description of each deployed AppScan Source product orcomponent.


Component Description

AppScan Source for Analysis A workbench to analyze, isolate, and takeaction on priority vulnerabilities. Providessecurity analysts, QA managers, anddevelopment managers with fasttime-to-results. AppScan Source for Analysismust communicate with the AppScanEnterprise Server.

AppScan Source for Development IDE-integrated components focused onremediation of vulnerabilities at the line ofcode level. AppScan Source for Developmentonly communicates with the AppScanEnterprise Server when scanning sourcecode.

AppScan Source Database An out-of-the-box database that persists theAppScan Source Security Knowledgebasedata, assessment data, andapplication/project inventory.Important: When scanning, AppScanEnterprise Server and AppScan Sourceclients (except AppScan Source forDevelopment) both require a directconnection to the AppScan Source Database(either solidDB or Oracle).

AppScan Source for Automation Automate key aspects of the AppScanSource workflow and integrate scans withbuild environments during the softwaredevelopment life cycle (SDLC). TheAutomation Server processes requests toscan and publish assessments and generatereports. It runs as a service/daemon andmust communicate with the AppScanEnterprise Server.

AppScan Source command line interface(CLI) client

Provides command line access to variousAppScan Source functions to enableintegration, automation, and scripting, inaddition to the functions provided byAppScan Source for Automation.

The CLI must communicate with theAppScan Enterprise Server.

Each of the components in the table must communicate with an AppScanEnterprise Server. The server provides centralized user management capabilitiesand a mechanism for sharing assessments via the AppScan Source Database. Inaddition, if your administrator has installed the Enterprise Console component ofthe AppScan Enterprise Server, you can publish assessments to it. The EnterpriseConsole offers a variety of tools for working with your assessments - such asreporting features, issue management, trend analysis, and dashboards.

Standard desktop deployment

The standard desktop deployment is for a single AppScan Source user in a smallorganization or a security analyst/auditor who performs security assessments, bothonsite and offsite. It assumes no defect tracking system integration or buildintegration (through use of AppScan Source for Automation). This deployment


model consists of two AppScan Source components, AppScan Source for Analysis(client) and the AppScan Enterprise Server, installed on one computer, such as anotebook. The desktop deployment model focuses on scan results and individualproductivity and convenience rather than the ability to deploy AppScan Sourceacross numerous computers and optimization around a team effort.

With this model, a user authenticates to the AppScan Enterprise Server using theAppScan Source administrative account, and no LDAP Directory Server integrationis expected. This model assumes that a source control management client on thecomputer provides access to source code, or the source code resides on thecomputer.

The standard desktop deployment is ideal for a mobile auditor. For example, theauditor might work onsite and then want to finish some work at home or whiletraveling. If the auditor logs in to the notebook running AppScan Source forAnalysis and the AppScan Enterprise Server while offsite, there is access to thesource code and the saved assessments. Later, when the auditor returns to workonsite, reconnecting to the source control system allows for the return of thecorrected source to the corporate repository. This model allows for the generationof leave-behind reports with all of the assessment result details.

The following diagram depicts a standard desktop deployment with client andserver components on the same computer.

AppScan Source forDevelopment

Databaseserver

S ource C ontrol Manager client

AppScan Enterprise Server

AppScan Source database

AppScan Source for Analysis

S erver

AppScan Source Command Line ClientBrowser

EnterpriseConsole


Small workgroup deploymentThe small workgroup deployment best fits a small to moderate size team that doesnot have many IT Compliance Guidelines related to application deployment.

With this model, AppScan Source server components reside on a dedicatedcomputer, likely on the same subnet as computers running the AppScan Sourceclient components. The expectation is that a local AppScan Source administratormanages AppScan Source user accounts and that no integration exists with acorporate LDAP Directory Server. In addition, the assumption is that a sourcecontrol management client on the computer provides access to source code or acopy of the source also exists on the computer.

This model enables team collaboration with a minimal amount of deploymentoverhead and administration. It is important to understand that this deploymentmodel includes:v Security analysts and developers connect to the AppScan Enterprise Serverv Auditors/managers connect to the Enterprise Console component of AppScan

Enterprise Server through a web browserv AppScan Source server components run on a dedicated computer with access to

source code

An installation for a small workgroup deployment consists of the client and servercomponents that are necessary to run AppScan Source components on multiplecomputers on a network.

Server Componentsv AppScan Source Databasev AppScan Source for Automation

Client Componentsv AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Eclipse, RAD, Worklight (not selected by

default)v Windows only: AppScan Source for Development for Visual Studio 2008 (not

selected by default)(this option is only available if the installer has detectedMicrosoft Visual Studio 2008 on your system)

v Windows only: AppScan Source for Development for Visual Studio 2010 (notselected by default)(this option is only available if the installer has detectedMicrosoft Visual Studio 2010 on your system)


The following diagram depicts a small workgroup deployment of the AppScanSource components.


Enterprise workgroup deployment

The enterprise workgroup deployment is for medium to large teams in largeorganizations where enterprise considerations are required. This deployment workswell if your organization must:v Comply with IT Governance and Compliance Guidelines such as clustering and

load balancing web applicationsv Maximize corporate resources, such as having the database in a data center with

automatic backupsv Run components within certain firewalls, requiring some form of

port-forwarding

This deployment model expects that there is a corporate LDAP Directory Serverand that authentication to use AppScan Source requires validation of credentialsthrough the directory server. It also assumes that access to source code is availablethrough a source control management client on the computer or the source resideson the computer, and that a defect tracking system integration is in place.

Typically, the organization automates application scans by integrating with thebuild process, thus requiring the deployment of AppScan Source for Automation.In this model, it is also possible that the enterprise has standardized on a databaseserver, such as Oracle.

A common enterprise workgroup deployment would have these characteristics:v Security analysts and developers connect to the AppScan Enterprise Serverv Auditors connect to the Enterprise Console component of AppScan Enterprise

Server through a web browser


v AppScan Source server components run on different computers due to ITGovernance and Compliance Guidelines– The Enterprise Console is on a central web application server cluster that is

load balanced, and the Automation Server runs on one or more build servers– Data Center contains a Oracle Database Server

v Automation Server is deployed on the build systemsv AppScan Enterprise Server communicates with the LDAP Directory Server for

user authenticationv AppScan Enterprise Server and AppScan Source clients connect to the AppScan

Source Database hosted in a Data Center (and possibly requires a specificdatabase such as Oracle)

v Source control clients provide access to source code on all appropriate computersv AppScan Source for Analysis integrates with defect tracking system clients on

the same computer

The following diagram depicts the deployment of the AppScan Source componentsin an Enterprise Workgroup environment.

AppS can S ource server

AppScan Enterprise ServerSourcecontrol server

Active directoryserver AppScan Source

database

AppScan Sourcedatabase

Oracle databaseserver

Data C enter

Developer Adminis trator

Defect tracking system server

S ecurity Analys t

Source control client


Defect tracking system client


Defect tracking system client

AppScan Source forDevelopment

AppScan Source forAnalysis

Manager

AppScan Source forAnalysis

B rows er

EnterpriseConsole

Build server


Automationserver


United States government regulation complianceCompliance with United States government security and information technologyregulations help to remove sales impediments and roadblocks. It also provides aproof point to prospects worldwide that IBM is working to make their productsthe most secure in the industry. This topic lists the standards and guidelines thatAppScan Source supports.v “Internet Protocol Version 6 (IPv6)”v “Federal Information Processing Standard (FIPS)”v “National Institute of Standards and Technology (NIST) Special Publication (SP)

800-131a”v “Windows 7 machines that are configured to use the United States Government

Configuration Baseline (USGCB)” on page 15

Internet Protocol Version 6 (IPv6)

AppScan Source is enabled for IPv6, with these exceptions:v Inputting IPv6 numerical addresses is not supported and a host name must be

entered instead. Inputting IPv4 numerical addresses is supported.v IPv6 is not supported when connecting to Rational Team Concert.

Federal Information Processing Standard (FIPS)

On Windows and Linux platforms that are supported by AppScan Source,AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validatedcryptographic module and approved algorithms. On OS X platforms that aresupported by AppScan Source, manual steps are needed to operate in FIPS 140-2mode.

To learn background information about AppScan Source FIPS compliance - and tolearn how to enable and disable AppScan Source FIPS 140-2 mode, see thesetechnotes:v Operating AppScan Source version 8.7 or later in FIPS 140-2 mode on OS Xv How to enable/disable/verify FIPS 140-2 mode in AppScan Source (Linux and

Windows)v Background information about AppScan Source version 8.7 or later FIPS 140-2

support

National Institute of Standards and Technology (NIST) SpecialPublication (SP) 800-131a

NIST SP 800-131A guidelines provide cryptographic key management guidance.These guidelines include:v Key management procedures.v How to use cryptographic algorithms.v Algorithms to use and their minimum strengths.v Key lengths for secure communications.

Government agencies and financial institutions use the NIST SP 800-131Aguidelines to ensure that the products conform to specified security requirements.


http://www.ibm.com/support/docview.wss?uid=swg21625556





NIST SP 800-131A is supported only when AppScan Source is operating in FIPS140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2mode, see “Federal Information Processing Standard (FIPS)” on page 14.

Important: If the AppScan Enterprise Server that you will connect to is enabled forNIST 800-131a compliance, you must set AppScan Source to force Transport LayerSecurity V1.2. If Transport Layer Security V1.2 is not forced, connections to theserver will fail.v If you are not installing the AppScan Source Database (for example, you are

only installing client components), you can force Transport Layer Security V1.2by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is thelocation of your AppScan Source program data, as described in “Installation anduser data file locations” on page 57)). In this file, locate this setting:<Setting

name="tls_protocol_version"read_only="false"default_value="0"value="0"description="Minor Version of the TLS Connection Protocol"type="text"display_name="TLS Protocol Version"display_name_id=""available_values="0:1:2"hidden="false"force_upgrade="false"

/>

In the setting, change value="0" to value="2" and then save the file.v If you are installing the AppScan Source Database, you force Transport Layer

Security V1.2 in the IBM Security AppScan Enterprise Server DatabaseConfiguration tool after installing both AppScan Source and the EnterpriseServer.

Windows 7 machines that are configured to use the UnitedStates Government Configuration Baseline (USGCB)

AppScan Source supports scanning applications on Windows 7 machines that areconfigured with the USGCB specification.

Note: On machines that are configured with the USGCB specification, AppScanSource does not support defect tracking system integration with HP Quality Centeror Rational ClearQuest.

AppScan Source and accessibilityAccessibility affects users with physical disabilities, such as restricted mobility orlimited vision. Accessibility issues can impede the ability to use software productssuccessfully. This topic outlines known AppScan Source accessibility issues andtheir workarounds.

Using JAWS Screen Reading Software with the AppScan Sourceinstaller

To use Freedom Scientific JAWS (http://www.freedomscientific.com/products/fs/jaws-product-page.asp) when running the AppScan Source installer, you mustinstall Java Access Bridge in the AppScan Source JVM. This will allow JAWS toproperly speak labels and controls in the installer panels.


http://www.freedomscientific.com/products/fs/jaws-product-page.asp

http://www.freedomscientific.com/products/fs/jaws-product-page.asp

v Information about the Java Access Bridge (including the download link andinstallation instructions) can be found at http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html.

v Information about the InstallAnywhere requirement for installing the JavaAccess Bridge can be found at http://kb.flexerasoftware.com/selfservice/documentLink.do?externalID=Q200311.

Using JAWS Screen Reading Software in user interface panelswith descriptive text

Many parts of the AppScan Source user interface contain descriptive text. In mostcases, you must use the JAWS Insert+B keystroke to be able to read thisdescriptive text.


http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html

http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html

http://kb.flexerasoftware.com/selfservice/documentLink.do?externalID=Q200311

http://kb.flexerasoftware.com/selfservice/documentLink.do?externalID=Q200311

Chapter 2. System requirements and installation prerequisites

To run AppScan Source components, your computers must meet the minimumrequirements outlined (per product) in http://www.ibm.com/support/docview.wss?uid=swg27027486.

To learn about AppScan Source language support, see “AppScan Source languagesupport.”

AppScan Source language supportThis topic lists the languages that can be scanned in AppScan Source.v “Language Support on Windows”v “Language Support on Linux” on page 18v “Language Support on OS X” on page 18

Language Support on Windows

IBM Security AppScan Source for Analysis, IBM Security AppScan Source forAutomation, and the IBM Security AppScan Source command line interface (CLI)support scanning these languages:v C/C++v COBOLv ColdFusionv Java (including support for Android APIs)v JavaServer Pages (JSP)v JavaScriptv Perlv PHP (Versions 4.x and 5.x)v PL/SQLv T-SQLv .NET (C#, ASP.NET, VB.NET) - Microsoft .NET Framework Versions 2.0, 3.0, 3.5,

4.0, and 4.5v ASP (JavaScript/VBScript)v Visual Basic 6

Note: For PHP, Visual Basic 6, and Classic ASP, only ISO-8859-1 (Western Europe),UTF-8, and UTF-16 character sets are supported.

The AppScan Source for Development Visual Studio plug-in supports scanningC/C++ and .NET (C#, ASP.NET, VB.NET).

The AppScan Source for Development Eclipse Plug-in (which can be applied toEclipse or IBM Rational Application Developer for WebSphere Software (RAD))supports scanning Java (including support for Android APIs), JavaServer Pages(JSP), and IBM Worklight projects.




Language Support on Linux

IBM Security AppScan Source for Analysis, IBM Security AppScan Source forAutomation, and the IBM Security AppScan Source command line interface (CLI)support scanning these languages:v C/C++v COBOLv ColdFusionv Java (including support for Android APIs)v JavaServer Pages (JSP)v JavaScriptv Perlv PHP (Versions 4.x and 5.x)v PL/SQLv T-SQL

Note: For PHP, only ISO-8859-1 (Western Europe), UTF-8, and UTF-16 charactersets are supported.

The AppScan Source for Development Eclipse Plug-in (which can be applied toEclipse or IBM Rational Application Developer for WebSphere Software (RAD))supports scanning Java (including support for Android APIs), JavaServer Pages(JSP), and IBM Worklight projects.

Language Support on OS X

IBM Security AppScan Source for Analysis, IBM Security AppScan Source forAutomation, and the IBM Security AppScan Source command line interface (CLI)support scanning these languages:v Objective-C in Xcode projectsv Java (including support for Android APIs)v JavaServer Pages (JSP)v JavaScript

The AppScan Source for Development Eclipse Plug-in (which can be applied toEclipse or IBM Rational Application Developer for WebSphere Software (RAD))supports scanning Java (including support for Android APIs), JavaServer Pages(JSP), Objective-C in Xcode projects, and IBM Worklight projects.

AppScan Source for Analysis and AppScan Source for Development(Eclipse plug-in) component prerequisite on Linux

On Linux, Eclipse requires the installation of a third-party component in order torender browser-based content. Without this component, AppScan Source forAnalysis and the AppScan Source for Development Eclipse plug-in may exhibitsymptoms such as a hang after login or a fail during product use.

Information about this prerequisite is available at http://www.eclipse.org/swt/faq.php#browserwebkitgtk.v “Enabling browser-based content on Linux for AppScan Source for Analysis” on

page 19


http://www.eclipse.org/swt/faq.php#browserwebkitgtk

http://www.eclipse.org/swt/faq.php#browserwebkitgtk

v “Enabling browser-based content on Linux for AppScan Source for Developmentinstalled to Eclipse Version 3.7 or later”

v “Enabling browser-based content on Linux for AppScan Source for Developmentinstalled to Eclipse Version 3.6 or earlier”

Enabling browser-based content on Linux for AppScan Sourcefor Analysis

AppScan Source for Analysis is built on Eclipse and is, therefore, affected by thisissue.

The recommended approach for correcting this is to ensure that a 32-bit or i686version of WebKitGTK 1.2.0 or later is installed. You should consult with yoursystem administrator for the proper way to get packages installed, but on somesystems this may be as simple as issuing yum install webkitgtk.i686.

If you are unable to install WebKitGTK, you can choose to install a 32-bit versionof Mozilla XULRunner 1.8. With this option, you may also need to make theseupdates to your environment variables:v Set MOZILLA_FIVE_HOME to the XULRunner installation location.v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME

Enabling browser-based content on Linux for AppScan Sourcefor Development installed to Eclipse Version 3.7 or later

The recommended approach for correcting this is to ensure that a 32-bit or i686version of WebKitGTK 1.2.0 or later is installed. You should consult with yoursystem administrator for the proper way to get packages installed, but on somesystems this may be as simple as issuing yum install webkitgtk.i686.

If you are unable to install WebKitGTK, you can choose to install a 32-bit versionof Mozilla XULRunner 1.8. With this option, you may also need to make theseupdates to your environment variables:v Set MOZILLA_FIVE_HOME to the XULRunner installation location.v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME

Enabling browser-based content on Linux for AppScan Sourcefor Development installed to Eclipse Version 3.6 or earlier

Ensure that you have a 32-bit version of Mozilla XULRunner Version 1.8 installed(Version 1.8.0.4 works in most environments - see https://developer.mozilla.org/en-US/docs/XULRunner_1.8.0.4_Release_Notes). After installing XULRunner, youmay also need to make these updates to your environment variables:v Set MOZILLA_FIVE_HOME to the XULRunner installation location.v Update LD_LIBRARY_PATH to append (or pre-pend) $MOZILLA_FIVE_HOME

Chapter 2. System requirements and installation prerequisites 19

https://developer.mozilla.org/en-US/docs/XULRunner_1.8.0.4_Release_Notes

https://developer.mozilla.org/en-US/docs/XULRunner_1.8.0.4_Release_Notes

Chapter 3. Sample installation scenarios

When installing AppScan Source, it is important that the correct installationworkflow be followed. These topics guide you through the workflow involved insome sample installation scenarios.

Important:

v Before installing any component required for AppScan Source, consult thecomponent's system requirements to ensure it supports your operating system.

v These scenarios do not apply to OS X.

AppScan Source consists of key components, listed here in the order in which theyshould be installed:v Rational License Server: This is required for AppScan Enterprise Server license

application. It is also used for applying AppScan Source floating licenses (butnot for applying AppScan Source local license files).

v AppScan Enterprise Server: All AppScan Source products and components mustcommunicate with an AppScan Enterprise Server. Once installed, you specify theRational License Server to which you have imported the AppScan EnterpriseServer license.

v AppScan Source product images: This includes AppScan Source for Analysis,AppScan Source for Automation, AppScan Source for Development, andAppScan Source for Remediation. Once installed, you specify the AppScanEnterprise Server that the AppScan Source Database will connect to. In addition,if you will make use of a floating license for AppScan Source, you specify theRational License Server to which you have imported the AppScan Source license.

The instructions in these scenarios assume that:v All components are being installed on Microsoft Windows. For some

instructions, basic Linux settings and information are provided - however, mainscenario workflow is described only for Windows.

v You have administrative privileges on the machine or machines on which youare installing AppScan Source components.

v You are only installing the user management features of the AppScan EnterpriseServer.

v That you will use IBM solidDB as your AppScan Source Database.v A floating license will be used for activating the AppScan Enterprise Server and

local license files will be used for activating AppScan Source components.v “Installing all required components on one machine” on page 22v “Installing AppScan Source components in a multi-machine environment” on

page 30v “Installing AppScan Source and integrating it with an existing AppScan

Enterprise Server” on page 40v “Migrating Rational AppScan Source Edition Version 8.0.x or earlier to Version

8.6.x” on page 48


Installing all required components on one machineIn this scenario, all components are installed on one machine. When configuringcomponent connections, localhost settings are applied.

About this task

This scenario is divided into four sections:v “Installing IBM Rational License Server”v “Installing IBM Security AppScan Enterprise Server” on page 23v “Installing AppScan Source” on page 25v “Logging into AppScan Source” on page 29

Installing IBM Rational License ServerThe Rational License Server is used for hosting your AppScan Enterprise Serverlicense. It can also be used for hosting AppScan Source floating licenses, however,this is not covered in these instructions.

About this task

If you already have a supported version of Rational License Server installed, youcan skip the portion of these instructions that cover Rational License Serverinstallation - and proceed to the portion of the instructions that covers launchingLicense Key Administrator and importing your license. Supported RationalLicense Server versions are outlined in the AppScan Enterprise Server systemrequirements (http://www.ibm.com/support/docview.wss?uid=swg27027541) andthe AppScan Source system requirements (http://www.ibm.com/support/docview.wss?uid=swg27027486).

Procedure1. Locate the Rational License Key Server image (on your AppScan Source

product DVDs or that you downloaded as part of the AppScan SourceeAssembly at IBM Passport Advantage®).

2. Extract the image to a local drive and, in the resulting directory, locate andrun RLKSSERVER_SETUP\disk1\launchpad.exe.

3. In the Rational License Server installer, click Install or Update IBM RationalLicense Key Server.

4. If IBM Installation Manager is not already installed on your system, it willlaunch for installation purposes.a. On the first page of the Install Packages wizard, ensure that the IBM

Installation Manager check box, and check boxes for all entries beneath it,are selected. Click Next.

b. On the Licenses page, read the license agreement. If you agree to the termsof the license agreement, click I accept the terms in the license agreementand then click Next.

c. In the Location page, specify the installation directory and then click Next.d. A summary of what will be installed is shown on the Summary page. If

you want to change your selections, click Back to return to the previouspages. When you are satisfied with your installation choices, click Install.

e. When the installation is complete, click Restart Installation Manager. Thiswill launch Installation Manager and allow you to install





5. On the first page of the Install Packages wizard, ensure that the IBM RationalLicense Key Server check box, and check boxes for all entries beneath it, areselected. Click Next.

6. In the Prerequisites page, you are instructed to close all applications anddisable anti-virus software. Complete these precautionary tasks and then clickNext.

7. On the Licenses page, read the license agreement. If you agree to the terms ofthe license agreement, click I accept the terms in the license agreement andthen click Next.

8. In the Location page, specify the installation directory and then click Next.9. Complete the Package Group page according to your needs (for example, if

you are using Installation Manager for the first time and have no existingpackage group, leave the default settings as-is). Click Next.

10. In the Translation Selection page, select the national languages that you wantto install. Click Next.

11. On the Features page, ensure that all features are selected and then click Next.12. A summary of what will be installed is shown on the Summary page. If you

want to change your selections, click Back to return to the previous pages.When you are satisfied with your installation choices, click Install.

13. When the installation is complete, click Finish and close IBM InstallationManager.

14. Launch the IBM Rational License Key Administrator from the Windows Startmenu (in the Programs menu, launch IBM Rational > License KeyAdministrator).

15. When the IBM Rational License Key Administrator starts, you are promptedwith the License Key Administrator Wizard (if the wizard does not openautomatically, select License Keys > License Key Wizard from the mainmenu). In this wizard, select Import a Rational License File and then clickNext.

16. In the Import a License File panel, click Browse and then navigate to yourAppScan Enterprise Server license file. Open the file with the browse dialogbox and then click Import.

17. After confirming the license or licenses that will be imported, the RestartLicense Server dialog box will open. Click Yes to restart the license server. Ifthe License Server service fails to start, open the Windows Servicesadministrative tool. In the tool, locate FLEXlm License Manager and start it.

Installing IBM Security AppScan Enterprise ServerProcedure1. Locate the AppScan Enterprise Server image (on your AppScan Source

product DVDs or that you downloaded as part of the AppScan SourceeAssembly at IBM Passport Advantage). For additional information aboutAppScan Enterprise Server, refer to the “AppScan Enterprise Server overview”on page 59 topic in the IBM Security AppScan Source Installation andAdministration Guide.

2. Extract the image to a local drive and, in the resulting directory, locate andrun AppScanEnterpriseServerSetup_<version>.exe.

3. When the installer welcome panel opens, click Next - and then read theupgrade notes and click Next.

Chapter 3. Sample installation scenarios 23

4. On the License Agreement panel, read the license agreement. If you agree tothe terms of the license agreement, click I accept the terms in the licenseagreement and then click Next.

5. In the Destination Folder panel, specify the installation directory and thenclick Next.

6. The Ready to Install the Program panel allows you to proceed with theinstallation or return to previous installation panels if you want to changeinstallation settings. If you want to change your selections, click Back toreturn to the previous pages. When you are satisfied with your installationchoices, click Install.

7. When the server installation is complete, the Setup Wizard Completed panellinks to help that instructs you how to secure the server with a valid SSLcertificate. It is recommended that you install a valid SSL certificate (this canbe done at this stage or after the installation is complete). Ensure that LaunchConfiguration Wizard is selected and then click Finish to proceed to theConfiguration panels.

8. When the Server Configuration Wizard welcome panel opens, click Next.9. In the License Server panel, enter localhost in the License server field (or the

fully-qualified host name of the local machine) and then click Next.10. The Server Components panel lists two components that can be configured.

The first, User Administration, is required for AppScan Source. The second,Enterprise Console, is offered for those who want to use the server foradvanced assessment management. This feature is optional for AppScanSource usage and should be deselected if you do not intend on using theserver for advanced assessment management. If this feature is selected, theserver installation will require prerequisites and settings that are outside thescope of these instructions. After selecting the program feature or features thatyou want to install, click Next.

11. In the Instance Name panel, specify the name of the instance you want toconfigure.

12. The Authentication Mechanism panel allows you to choose between Windowsauthentication and Jazz™ Team Server authentication. If you will use LDAPauthentication with the Microsoft Active Directory LDAP server, chooseAuthenticate via Windows. For all other LDAP servers, choose Authenticatevia Jazz Team Server.

13. In the Service Account panel, enter the domain, user name, and password forthe machine that will run the AppScan Enterprise Server service.

14. In the Database Connection panel, enter the name of the database server andthe name of the database. When AppScan Enterprise Server creates thedatabase in the SQL Server, it automatically configures the collation for it.

Note: If you are upgrading an existing database, the Database EncryptionChanges panel opens. Click Help to learn how to protect the SQL Serverwhere the database is located. If you decide not to enable Transparent DataEncryption, select the check box so you can continue configuration.

15. Jazz Team Server authentication only: If you selected Jazz Team Serverauthentication, the next panel allows you to specify the administratorpassword for the server - and configure the Jazz Team Server that will becreated:a. Enter the fully-qualified host name of the machine on which you are

installing AppScan Enterprise Server.b. By default the administrative password is ADMIN. If you are configuring

the server for the first time, log in with the default values, and you will be


prompted to change the password. You are encouraged to specify a newpassword using the password fields in the panel. If you have previouslyconfigured the server and changed the default password, enter thatpassword.

c. After dismissing the password prompt, click Next to begin configuring theJazz Team Server. This process may take a few minutes.

Note:

v You cannot specify localhost in this field.v If this process is unsuccessful, open the Windows Services

administrative tool. In the tool, locate AppScan Enterprise Server –Tomcat and start it if it is not running. Then click Next in the installpanel to try to create theJazz Team Server Public URI again.

Tip: During installation, if you receive a could not contact JTS errormessage, the URI creation process could be experiencing a timeout.Waiting a minute and then clicking Next again may resolve the issue.

16. In the Server Certificate panel, choose a certificate specific to yourorganization. This step helps you deploy a secure Enterprise Server in yourenvironment.

17. In the Product Administrator panel, specify a user as Product Administrator.This user is licensed separately. If you want to reassign the ProductAdministrator license, you must rerun the configuration wizard.

18. When the setup is complete, click Finish in the Specifications Complete panel.When configuration is complete, click Exit in the Configuration Completepanel.

What to do next

If AppScan Source was installed prior to installing the Enterprise Server, you willneed to register the Database with the Enterprise Server. A utility for doing this isincluded with AppScan Source. Information about this can be found in the“Registering the AppScan Source Database with AppScan Enterprise Server” onpage 70 topic in the AppScan Source Installation and Administration Guide.

If you need to uninstall the Enterprise Server, you must delete its installationdirectory before installing it again.

Installing AppScan SourceProcedure1. Locate the IBM Security AppScan Source product zip file (in your AppScan

Source media pack - or the electronic image that you downloaded as part ofan AppScan Source eAssembly at IBM Passport Advantage).

2. Extract the image to a local drive and, in the resulting directory, locate andrun setup.exe. Detailed information about launching the installation wizardcan be found in the “Starting the installation wizard” on page 56 topic in theIBM Security AppScan Source Installation and Administration Guide.

Note: There are images for each product in the AppScan Source family. Thesetup.exe file is located at the root of these zipped images.

3. You are presented with a screen that allows you to select the nationallanguage that will be displayed in the installation panels. Select the languageand click OK to proceed.


4. After you launch the installation wizard, the Welcome - Installation Wizardpanel opens and recommends that you quit any open applications. Click Nextto begin the installation procedure.

5. In the Component Selection installation panel, select the components to install.AppScan Source components are divided into server and client components:a. To install AppScan Source server components, select Server Component

Selection and then choose the components to install:v AppScan Source Databasev AppScan Source for Automation

b. To install AppScan Source client components, select Client ComponentSelection and then choose the components to install:v AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Eclipse, RAD, Worklight (not

selected by default)v Windows only: AppScan Source for Development for Visual Studio 2008

(not selected by default)(this option is only available if the installer hasdetected Microsoft Visual Studio 2008 on your system)

v Windows only: AppScan Source for Development for Visual Studio 2010(not selected by default)(this option is only available if the installer hasdetected Microsoft Visual Studio 2010 on your system)


By default, when Client Component Selection is selected, the AppScanSource for Development plug-in components are deselected and all othercomponents are selected.

After you have selected the components that you want to install, click Next toadvance to the next installation panel.

6. In the Server Connection panel, choose the option that describes the AppScanEnterprise Server that you will connect to:v I will use the instance found on this machine: This option displays if a

compatible version of AppScan Enterprise Server has been detected on themachine. Select this option if you intend on connecting to that EnterpriseServer when using AppScan Source.

v I will install a compatible local instance of AppScan Enterprise servernow: This option displays if a non-compatible version of AppScanEnterprise Server has been detected on the machine. If you intend oninstalling a compatible version of the Enterprise Server on this machine,select this option and click Next. The next installation panel will guide youthrough Enterprise Server download options.

v I will install a local instance of AppScan Enterprise server now: Thisoption displays if AppScan Enterprise Server has not been detected on themachine. If you intend on installing the Enterprise Server on this machine,select this option and click Next. The next installation panel will guide youthrough Enterprise Server download options.

v I will connect to a remote AppScan Server instance: Selecting this optionallows you to test the remote AppScan Enterprise Server to ensure that it isavailable for connection to AppScan Source. To test the server connection,complete these fields:


– AppScan Enterprise Server: Specify the hostname for your remoteAppScan Enterprise Server instance in the existing URL format.

– User ID: Specify your AppScan Enterprise Server user ID.– Password: Specify the password for your AppScan Enterprise Server user

ID.When the server settings have been entered, click Test Connection toensure that the server will be available for connection to AppScan Source.

v Let me proceed without specifying a server: Select this option to proceedwithout specifying a server.

Important: If the Enterprise Server that you will connect to is enabled forNIST 800-131a compliance, you cannot test a connection to the server. In thiscase, proceed without specifying a server. After the installation of AppScanSource and the Enterprise Server are complete, follow the instructions for“Registering the AppScan Source Database with AppScan Enterprise Server”on page 70, ensuring that the Force TLSv1.2 option is applied.Click Next to advance to the next installation panel.

Note: If your selection in the Server Connection panel assumes an existinginstallation of AppScan Enterprise Server that is incompatible or does notexist, the Install Server panel opens. This panel guides you through EnterpriseServer download options.

7. In the Installation Target Specification page, specify the installation directory.The default directories, by operating system, are:v 32-bit versions of Microsoft Windows:

<SYSTEMDRIVE>:\Program Files\IBM\AppScanSource

v 64-bit versions of Microsoft Windows:<SYSTEMDRIVE>:\Program Files (x86)\IBM\AppScanSource

v Linux: If you are the root user, the Installation Wizard installs your softwarein /opt/ibm/appscansource. If you are not the root user, you can install theAppScan Source for Development Eclipse plug-in - which installs to<home_directory>/AppScan_Source by default.

v OS X: /Applications/AppScanSource.app

Important:

v The installation directory name can only contain English characters. Folderswith names containing non-English characters are not permitted.

v If you are installing on Windows, you must have Administrator privilegesto install AppScan Source components.

v If you are installing on Linux, you must have root privileges to installAppScan Source server components.

Click Next to advance to the next installation panel.8. If the IBM Security AppScan Source Database component was selected for

installation in the Server Component Selection page, the database selectionpanel displays. In this page, select one of:v Install solidDB

v Install database into existing Oracle 11g Server

For additional information about installing solidDB - or to an existing Oracledatabase - refer to the “Installing the database and configuring connections toAppScan Enterprise Server” on page 60 topic in the IBM Security AppScanSource Installation and Administration Guide.


Click Next to advance to the next installation panel.9. If you choose to install a solidDB database in the Database selection panel,

you are prompted with the Configure IBM solidDB Admin User panel. In it,configure the solidDB database administrator account. The default databaseadministrator user name and password are both dba. You cannot change thisuser name, however, the password can be changed.

Note: To learn how to change the user password after completing the productinstallation, see “Changing IBM solidDB user passwords after installation” onpage 116.Click Next advance to the next installation panel.

10. The Configure IBM solidDB AppScan Source User panel allows you toconfigure the solidDB AppScan Source database user account. You can retainthe default user name, ounce, and default password, ounce. All componentsthat read from or write to the AppScan Source Database use this account.

Note:

v If you change the user names and passwords, you must keep a record ofthe new configuration in case your IBM support representative requiresaccess to your AppScan Source Database.

v To learn how to change the user password after completing the productinstallation, see “Changing IBM solidDB user passwords after installation”on page 116.

Click Next to advance to the next installation panel.11. In the language pack selection panel, choose the language packs to install.

When you install a language pack, the AppScan Source user interface willdisplay in that language when it runs on an operating system that is runningthat locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, click Nextto advance to the next installation panel.

Note: If you do not install a specific language pack, you will not be able toadd that language post-installation.

12. Review and accept the terms of the license agreement and then click Next tocontinue.

13. Review the summary of installation options before proceeding. If you want tochange your selections, click Previous to return to the previous pages. Whenyou are satisfied with your installation choices, click Install. The installercopies files to the hard disk drive.For Linux server installations only: After copying files, you must identify thedaemon user. Select Create User 'ounce' or Run with Existing User, either tocreate the default user, ounce, or run with an existing user. (The installationvalidates that the user exists. Note that the selected user must have a validshell.)During the installation, clicking Cancel at any time results in theuninstallation of all components.


14. In the IBM Security AppScan Enterprise Server Configuration panel, specifythe settings that will allow the database to connect to the AppScan EnterpriseServer. By default, this installation panel pre-fills with entries that assume thedatabase and server are installed on the same machine, with default settings -and that the server has been configured for Jazz Team Server authentication.v If the server is configured for Windows authentication, select the Configure

the AppScan Enterprise Server now check box and then enter theWindows credentials that were used when your account was added to theserver (the user ID must be in the format <host name>\<user id>).

v If the server is configured for Jazz Team Server authentication, for thisinstallation scenario, the default settings should be correct - with theexception of the server administrative Password. If you changed the defaultpassword during the AppScan Enterprise Server installation, select theConfigure the AppScan Enterprise Server now check box and then enterthe password in the Password field.

Note: The entry in the Database Host Name field should always be thefully-qualified host name of the machine on which the installer is running.This value should be pre-filled in this field at install time and should only bechanged if the value has pre-filled incorrectly.

Note: The server can also be configured post-installation using a utility that isincluded with AppScan Source. Information about this can be found in the“Registering the AppScan Source Database with AppScan Enterprise Server”on page 70 topic in the IBM Security AppScan Source Installation andAdministration Guide.Click Next to advance to the next installation panel.

15. In the Installation Complete panel, you can initiate product activationimmediately after exiting the installation wizard by selecting Launch IBMSecurity AppScan Source License Manager. Click Done to complete thestandard installation and exit the Installation Wizard.

16. In the License Manager utility:a. To apply a license file, click Import and then browse to your downloaded

AppScan Source license.b. To apply a floating license, click Configure license servers and then click

Add. Enter the information for the host machine that contains the floatinglicense.

See Chapter 7, “Activating the software,” on page 99 for additional activationinstructions.

Logging into AppScan SourceAbout this task

Refer to the section below for a description of the fields requested when you login. For detailed information, see the “Logging in to AppScan Enterprise Serverfrom AppScan Source products” on page 110 topic in the IBM Security AppScanSource Installation and Administration Guide.

Procedurev User ID: Specify your user ID.v Password: Specify the password for your user ID.


v AppScan Enterprise Server: Specify the hostname for your AppScan EnterpriseServer instance in the existing URL format. For this installation scenario, specifyhttps://localhost:9443/asc/ or localhost.

Installing AppScan Source components in a multi-machineenvironment

AppScan Source components can be installed on multiple machines. In thisscenario, components are deployed in a multi-machine environment. RationalLicense Server, AppScan Enterprise Server, AppScan Source client products, andthe AppScan Source Database are all installed on different machines.

About this task

This scenario is divided into five sections:v “Installing IBM Rational License Server on Machine A”v “Installing IBM Security AppScan Enterprise Server on Machine B” on page 31v “Installing AppScan Source client products on Machine C” on page 33v “Installing the AppScan Source Database on Machine D” on page 36v “Logging into AppScan Source” on page 39

Installing IBM Rational License Server on Machine AThe Rational License Server is used for hosting your AppScan Enterprise Serverlicense. It can also be used for hosting AppScan Source floating licenses, however,this is not covered in these instructions.

About this task


Procedure1. Locate the Rational License Key Server image (on your AppScan Source

product DVDs or that you downloaded as part of the AppScan SourceeAssembly at IBM Passport Advantage).










c. In the Location page, specify the installation directory and then click Next.d. A summary of what will be installed is shown on the Summary page. If

you want to change your selections, click Back to return to the previouspages. When you are satisfied with your installation choices, click Install.













16. In the Import a License File panel, click Browse and then navigate to yourAppScan Enterprise Server license file. Open the file with the browse dialogbox and then click Import.


Installing IBM Security AppScan Enterprise Server on MachineB

Procedure1. Locate the AppScan Enterprise Server image (on your AppScan Source

product DVDs or that you downloaded as part of the AppScan Source


eAssembly at IBM Passport Advantage). For additional information aboutAppScan Enterprise Server, refer to the “AppScan Enterprise Server overview”on page 59 topic in the IBM Security AppScan Source Installation andAdministration Guide.

2. Extract the image to a local drive and, in the resulting directory, locate andrun AppScanEnterpriseServerSetup_<version>.exe.






8. When the Server Configuration Wizard welcome panel opens, click Next.9. In the License Server panel, specify the fully-qualified host name of the

machine on which you installed and configured IBM Rational License Server(for example, MachineA.mydomain.com) and then click Next.

10. The Server Components panel lists two components that can be configured.The first, User Administration, is required for AppScan Source. The second,Enterprise Console, is offered for those who want to use the server foradvanced assessment management. This feature is optional for AppScanSource usage and should be deselected if you do not intend on using theserver for advanced assessment management. If this feature is selected, theserver installation will require prerequisites and settings that are outside thescope of these instructions. After selecting the program feature or features thatyou want to install, click Next.

11. In the Instance Name panel, specify the name of the instance you want toconfigure.

12. The Authentication Mechanism panel allows you to choose between Windowsauthentication and Jazz Team Server authentication. If you will use LDAPauthentication with the Microsoft Active Directory LDAP server, chooseAuthenticate via Windows. For all other LDAP servers, choose Authenticatevia Jazz Team Server.

13. In the Service Account panel, enter the domain, user name, and password forthe machine that will run the AppScan Enterprise Server service.

14. In the Database Connection panel, enter the name of the database server andthe name of the database. When AppScan Enterprise Server creates thedatabase in the SQL Server, it automatically configures the collation for it.

Note: If you are upgrading an existing database, the Database EncryptionChanges panel opens. Click Help to learn how to protect the SQL Server


where the database is located. If you decide not to enable Transparent DataEncryption, select the check box so you can continue configuration.


installing IBM Security AppScan Enterprise Server (for example,MachineB.mydomain.com).

b. By default the administrative password is ADMIN. If you are configuringthe server for the first time, log in with the default values, and you will beprompted to change the password. You are encouraged to specify a newpassword using the password fields in the panel. If you have previouslyconfigured the server and changed the default password, enter thatpassword.


Note: If this process is unsuccessful, open the Windows Servicesadministrative tool. In the tool, locate AppScan Enterprise Server –Tomcat and start it if it is not running. Then click Next in the install panelto try to create theJazz Team Server Public URI again.


16. In the Server Certificate panel, choose a certificate specific to yourorganization. This step helps you deploy a secure Enterprise Server in yourenvironment.

17. In the Product Administrator panel, specify a user as Product Administrator.This user is licensed separately. If you want to reassign the ProductAdministrator license, you must rerun the configuration wizard.


What to do next



Installing AppScan Source client products on Machine CAbout this task

Note that the order in which you install AppScan Source client products and theAppScan Source Database does not matter. The client products can be installedbefore you install the database - or vice-versa.


Procedure1. Locate the IBM Security AppScan Source product zip file (in your AppScan






5. In the Component Selection installation panel, select Client ComponentSelection and then choose the components to install:v AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Eclipse, RAD, Worklight (not selected

by default)v Windows only: AppScan Source for Development for Visual Studio 2008




By default, when Client Component Selection is selected, the AppScan Sourcefor Development plug-in components are deselected and all other componentsare selected.After you have selected the components that you want to install, click Next toadvance to the next installation panel.






Important:






When you install a language pack, the AppScan Source user interface willdisplay in that language when it runs on an operating system that is runningthat locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, clickNext to advance to the next installation panel.










Installing the AppScan Source Database on Machine DAbout this task

Note that the order in which you install AppScan Source client products and theAppScan Source Database does not matter. The client products can be installedbefore you install the database - or vice-versa.

Procedure1. Locate the IBM Security AppScan Source product zip file (in your AppScan






5. In the Component Selection installation panel, select Server ComponentSelection and then ensure that AppScan Source Database is selected. ClickNext to advance to the next installation panel.





v I will connect to a remote AppScan Server instance: Selecting this optionallows you to test the remote AppScan Enterprise Server to ensure that it isavailable for connection to AppScan Source. To test the server connection,complete these fields:– AppScan Enterprise Server: Specify the hostname for your remote

AppScan Enterprise Server instance in the existing URL format.– User ID: Specify your AppScan Enterprise Server user ID.


– Password: Specify the password for your AppScan Enterprise Server userID.

When the server settings have been entered, click Test Connection toensure that the server will be available for connection to AppScan Source.









Important:





installation in the Server Component Selection page, the database selectionpanel displays. In this page, select the Install solidDB radio button and thenclick Next to advance to the next installation panel.

9. If you choose to install a solidDB database in the Database selection panel,you are prompted with the Configure IBM solidDB Admin User panel. In it,configure the solidDB database administrator account. The default databaseadministrator user name and password are both dba. You cannot change thisuser name, however, the password can be changed.

Note: To learn how to change the user password after completing the productinstallation, see “Changing IBM solidDB user passwords after installation” onpage 116.


Click Next advance to the next installation panel.10. The Configure IBM solidDB AppScan Source User panel allows you to

configure the solidDB AppScan Source database user account. You can retainthe default user name, ounce, and default password, ounce. All componentsthat read from or write to the AppScan Source Database use this account.

Note:








14. In the IBM Security AppScan Enterprise Server Configuration panel, specifythe settings that will allow the database to connect to the AppScan EnterpriseServer. Select the Configure the AppScan Enterprise Server now check boxand complete these settings:v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise

Server instance (for example, https://MachineB.mydomain.com:9443/asc).v User ID: Specify your AppScan Enterprise Server user ID. By default, the

user ID is ADMIN, which is the default if the server is configured for JazzTeam Server authentication (change this value if you changed the user IDduring or after installation of the server). If the server is configured for


Windows authentication, enter the Windows user ID that was used whenyour account was added to the server (the user ID must be in the format<host name>\<user id>).

v Password: Specify the password for your AppScan Enterprise Server userID.

v Database Host Name: Specify the fully-qualified host name for the machineon which you have installed the AppScan Source Database (for example,MachineD.mydomain.com).

Note: The entry in this field should always be the fully-qualified host nameof the machine on which the installer is running. This value should bepre-filled in this field at install time and should only be changed if thevalue has pre-filled incorrectly.









Procedurev User ID: Specify your user ID.v Password: Specify the password for your user ID.v AppScan Enterprise Server: Specify the hostname for your AppScan Enterprise

Server instance in the existing URL format. For this installation scenario, specifythe fully-qualified host name of the machine on which the AppScan EnterpriseServer is installed.

Tip: If the fully-qualified host name does not work, try entering the IP addressof the host machine.


Installing AppScan Source and integrating it with an existing AppScanEnterprise Server

In this scenario, AppScan Source components are installed on one machine - andthey are configured to connect to an existing AppScan Enterprise Server.

About this task

This scenario is divided into two sections:v “Installing AppScan Source”v “Logging into AppScan Source” on page 44

Installing AppScan SourceProcedure1. Locate the IBM Security AppScan Source product zip file (in your AppScan





















AppScan Enterprise Server instance in the existing URL format.– User ID: Specify your AppScan Enterprise Server user ID.– Password: Specify the password for your AppScan Enterprise Server user











Important:





installation in the Server Component Selection page, the database selectionpanel displays. In this page, select one of:v Install solidDB

v Install database into existing Oracle 11g Server

For additional information about installing solidDB - or to an existing Oracledatabase - refer to the “Installing the database and configuring connections toAppScan Enterprise Server” on page 60 topic in the IBM Security AppScanSource Installation and Administration Guide.Click Next to advance to the next installation panel.




Note:



Click Next to advance to the next installation panel.


11. In the language pack selection panel, choose the language packs to install.When you install a language pack, the AppScan Source user interface willdisplay in that language when it runs on an operating system that is runningthat locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, click Nextto advance to the next installation panel.




14. In the IBM Security AppScan Enterprise Server Configuration panel, specifythe settings that will allow the database to connect to the AppScan EnterpriseServer. By default, this installation panel pre-fills with entries that assume thedatabase and server are installed on the same machine, with default settings -and that the server has been configured for Jazz Team Server authentication. Ifthe pre-filled settings are incorrect, select the Configure the AppScanEnterprise Server now check box and complete these settings:v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise

Server instance.v User ID: Specify your AppScan Enterprise Server user ID. By default, the

user ID is ADMIN, which is the default if the server is configured for JazzTeam Server authentication (change this value if you changed the user IDduring or after installation of the server). If the server is configured forWindows authentication, enter the Windows user ID that was used whenyour account was added to the server (the user ID must be in the format<host name>\<user id>).


v Database Host Name: Specify the host name for the machine on which youhave installed the AppScan Source Database.












Server instance in the existing URL format. If the AppScan Enterprise Server islocated on the same machine, specify https://localhost:9443/asc/ orlocalhost. If the AppScan Enterprise Server is located on a remote machine,specify the fully-qualified host name of the machine on which it is installed.

Tip: If the fully-qualified host name does not work, try entering the IP addressof the host machine.

Upgrading AppScan SourceProcedure1. Upgrade the AppScan Enterprise Server according to the installation

instructions provided with it. See “AppScan Enterprise Server overview” onpage 59 to learn more about the server.

2. Locate the IBM Security AppScan Source product zip file (in your AppScanSource media pack - or the electronic image that you downloaded as part ofan AppScan Source eAssembly at IBM Passport Advantage).





5. After you launch the installation wizard, the Welcome - Installation UpgradeWizard panel opens and recommends that you quit any open applications.Click Next to proceed.

6. If your existing installation included the AppScan Source Database, the ServerConnection panel opens, followed by Database upgrade and maintenancepanels.












8. The next installation panel advises you that the Database will be updatedduring the installation and that the update can take up to 30 minutes. Youshould not cancel the installation or power down your computer during theDatabase upgrade. Click Next.

9. To facilitate Database maintenance, enter the credentials for your solidDBAppScan Source database user account and then click Next when you areready to proceed with the Database upgrade.

10. In the language pack selection panel, choose the language packs to install.When you install a language pack, the AppScan Source user interface willdisplay in that language when it runs on an operating system that is runningthat locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, clickNext to advance to the next installation panel.






user ID is ADMIN, which is the default if the server is configured for JazzTeam Server authentication (change this value if you changed the user IDduring or after installation of the server). If the server is configured for


Windows authentication, enter the Windows user ID that was used whenyour account was added to the server (the user ID must be in the format<host name>\<user id>).










Results

As of AppScan Source Version 8.7, application data is stored outside of theinstallation directory. If you are upgrading from AppScan Source Version 8.6.x orearlier, your existing application data will be moved to the “Default AppScanSource data directory” on page 58. In addition, a backup of your existing(pre-Version 8.7) application data will be stored in <data_dir>/upgrade_backup(where <data_dir> is the location of your AppScan Source program data, asdescribed in “Installation and user data file locations” on page 57).

As of AppScan Source Version 9.0, the AppScan Source for Development Eclipseplug-in is supported on OS X. If you are upgrading from AppScan Source Version8.8.x or earlier on OS X, AppScan Source for Development features will beavailable for install into Eclipse environments after the upgrade is complete (use ofthese features requires the appropriate license). For information about installingAppScan Source for Development to Eclipse environments, see “Applying theAppScan Source for Development (Eclipse plug-in) to Eclipse and supportedEclipse-based products” on page 77.


Migrating Rational AppScan Source Edition Version 8.0.x or earlier toVersion 8.6.x

Prior to Version 8.5, Rational AppScan Source Edition (now called AppScan Source)included Rational AppScan Source Edition for Core. This server-based productprovided the central repository for shared information. In Version 8.5, RationalAppScan Source Edition for Core was replaced with Rational AppScan EnterpriseServer (now called AppScan Enterprise Server). This scenario describes theupgrade from Version 8.0.x or earlier to Version 8.6.x.

About this task

This scenario is divided into four sections:v “Installing IBM Rational License Server”v “Installing Rational AppScan Enterprise Server” on page 49v “Upgrading Rational AppScan Source Edition” on page 51v “Logging into Rational AppScan Source Edition” on page 53

Installing IBM Rational License ServerPrior to Version 8.5, Rational License Server was only required for hosting RationalAppScan Source Edition floating licenses. As of Version 8.5, Rational License Serveris required for hosting your Rational AppScan Enterprise Server license.

About this task


Procedure1. Locate the Rational License Key Server image (on your Rational AppScan

Source Edition product DVDs or that you downloaded as part of the RationalAppScan Source Edition eAssembly at IBM Passport Advantage).






c. In the Location page, specify the installation directory and then click Next.





d. A summary of what will be installed is shown on the Summary page. Ifyou want to change your selections, click Back to return to the previouspages. When you are satisfied with your installation choices, click Install.













16. In the Import a License File panel, click Browse and then navigate to yourRational AppScan Enterprise Server license file. Open the file with the browsedialog box and then click Import.


Installing Rational AppScan Enterprise ServerProcedure1. Locate the Rational AppScan Enterprise Server image (on your Rational

AppScan Source Edition product DVDs or that you downloaded as part of theRational AppScan Source Edition eAssembly at IBM Passport Advantage). Foradditional information about Rational AppScan Enterprise Server, refer to the“AppScan Enterprise Server overview” on page 59 topic in the IBM RationalAppScan Source Edition Installation and Administration Guide.


2. Extract the image to a local drive and, in the resulting directory, locate andrun CI455ML\AppScanEnterpriseServerSetup_8.5.exe.




6. If you are upgrading from a previously-installed version of AppScanEnterprise Server - or if you removed the Enterprise Server and did notremove backup files, and are attempting to reinstall - the Restore PreviousJazz settings panel will prompt you to Restore previous Jazz settings or Startwith a fresh Jazz instance. It is recommended you leave the default setting,Restore previous Jazz settings, selected. If you select Start with a fresh Jazzinstance, you will need to reconfigure the connection to the AppScan Sourcedatabase. After completing the panel, click Next.



9. When the Server Configuration Wizard welcome panel opens, click Next.10. In the License Server panel, specify the fully-qualified host name of the

machine on which you installed and configured IBM Rational License Server.If IBM Rational License Server is installed locally, localhost can be entered inthe License server field. Click Next.

11. The Server Components panel lists two components that can be configured.The first, User Administration, is required for AppScan Source. The second,Enterprise Console, is offered for those who want to use the server foradvanced assessment management. This feature is optional for AppScanSource usage and should be deselected if you do not intend on using theserver for advanced assessment management. If this feature is selected, theserver installation will require prerequisites and settings that are outside thescope of these instructions. After selecting the program feature or features thatyou want to install, click Next.


installing AppScan Enterprise Server.b. By default the administrative password is ADMIN. If you are configuring

the server for the first time, log in with the default values, and you will beprompted to change the password. You are encouraged to specify a new


password using the password fields in the panel. If you have previouslyconfigured the server and changed the default password, enter thatpassword.


Note:

v You cannot specify localhost in this field.v If this process is unsuccessful, open the Windows Services

administrative tool. In the tool, locate AppScan Enterprise Server –Tomcat and start it if it is not running. Then click Next in the installpanel to try to create theJazz Team Server Public URI again.



What to do next



Upgrading Rational AppScan Source EditionProcedure1. Locate the Rational AppScan Source Edition product zip file (in your Rational

AppScan Source Edition media pack - or the electronic image that youdownloaded as part of a Rational AppScan Source Edition eAssembly at IBMPassport Advantage).

2. Extract the image to a local drive and, in the resulting directory, locate andrun setup.exe. Detailed information about launching the installation wizardcan be found in the “Starting the installation wizard” on page 56 topic in theIBM Rational AppScan Source Edition Installation and Administration Guide.

Note: There are images for each product in the Rational AppScan SourceEdition family. The setup.exe file is located at the root of these zippedimages.


4. After you launch the installation wizard, the Welcome - Installation UpgradeWizard panel opens and recommends that you quit any open applications.Click Next to proceed.


5. The next installation panel advises you that the Database will be updatedduring the installation and that the update can take up to 30 minutes. Youshould not cancel the installation or power down your computer during theDatabase upgrade. Click Next.

6. To facilitate Database maintenance, enter the credentials for your solidDBAppScan Source database user account and then click Next when you areready to proceed with the Database upgrade.

7. In the language pack selection panel, choose the language packs to install.When you install a language pack, the Rational AppScan Source Edition userinterface will display in that language when it runs on an operating systemthat is running that locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, clickNext to advance to the next installation panel.




10. In the Rational AppScan Enterprise Server Configuration panel, specify thesettings that will allow the database to connect to the Rational AppScanEnterprise Server. By default, this installation panel pre-fills with entries thatassume the database and server are installed on the same machine, withdefault settings. If the pre-filled settings are incorrect, select the Configure theAppScan Enterprise Server now check box and complete these settings:v AppScan Enterprise Server: Specify the URL for your Rational AppScan

Enterprise Server instance.v User ID: Specify your Rational AppScan Enterprise Server user ID. By

default, the user ID is ADMIN. Change this value if you changed the userID during or after installation of the server.

v Password: Specify the password for your Rational AppScan EnterpriseServer user ID. By default, the password is ADMIN. Change the value ifyou changed the password during or after installation of the server.

v Database Host Name: Specify the host name for the machine on which youhave installed the Rational AppScan Source Edition Database.



Note: The server can also be configured post-installation using a utility that isincluded with Rational AppScan Source Edition. Information about this can befound in the “Registering the AppScan Source Database with AppScanEnterprise Server” on page 70 topic in the IBM Security AppScan SourceInstallation and Administration Guide.Click Next to advance to the next installation panel.

11. In the Installation Complete panel, you can initiate product activationimmediately after exiting the installation wizard by selecting Launch IBMRational AppScan Source Edition License Manager. Click Done to completethe standard installation and exit the Installation Wizard.





What to do next

If you are upgrading from a previous version of IBM Rational AppScan SourceEdition, you can migrate your users to the Rational AppScan Enterprise Server.Instructions for this are provided in the “Migrating Rational AppScan SourceEdition for Core users to AppScan Enterprise Server” on page 109 topic in the IBMSecurity AppScan Source Installation and Administration Guide.

Logging into Rational AppScan Source EditionAbout this task



Server instance in the existing URL format. For this installation scenario, specifyhttps://localhost:9443/asc/ or localhost.


Chapter 4. Advanced installation and activation topics

This section describes advanced installation options and activation procedures.

AppScan Source software is downloaded from IBM Passport Advantage orpurchased as a media pack. Activation licenses are acquired through the IBMRational License Key Center.

Self-extracting installation files are available for Windows, Linux, and OS X. Theyproduce these setup files:v Windows: setup.exev Linux: setup.bin.gzv OS X: setup.dmg

The Installation Wizard guides you through the out-of-the-box installation of allAppScan Source components that are supported on the operating system on whichyou are installing.

When the installation completes, you have the option to launch the activationLicense Manager from the final installation panel - or you can choose to activatethe product at a later time.

Important: You must activate the software before you can use it.

You must be familiar with your environment and deployment requirements beforeinstalling AppScan Source components (see “AppScan Source deployment models”on page 8 for additional information). For example, to run AppScan Source forAnalysis on a notebook computer that does not have connectivity to a remoteAppScan Enterprise Server, you must install AppScan Source for Analysis and theAppScan Enterprise Server on the notebook.

Standard Desktop

A standard desktop installation consists of the client and server componentsnecessary to run AppScan Source for Analysis on a single computer, even whendisconnected from the network (this installation type requires that the AppScanEnterprise Server also be installed on the computer). Standard desktop installationcomponent options include:v Server components:

– AppScan Source Database– AppScan Source for Automation

v Client components:– AppScan Source for Analysis– AppScan Source Command Line Interface– AppScan Source for Development for Eclipse, RAD, Worklight (not selected

by default)– Windows only: AppScan Source for Development for Visual Studio 2008 (not



– Windows only: AppScan Source for Development for Visual Studio 2010 (notselected by default)(this option is only available if the installer has detectedMicrosoft Visual Studio 2010 on your system)

– Windows only: AppScan Source for Development for Visual Studio 2012 (notselected by default)(this option is only available if the installer has detectedMicrosoft Visual Studio 2012 on your system)

Server

Server components that you can choose to install include:v AppScan Source Databasev AppScan Source for Automation

Client

Client components that you can choose to install include:v AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Eclipse, RAD, Worklight (not selected by

default)v Windows only: AppScan Source for Development for Visual Studio 2008 (not




Starting the installation wizardThe AppScan Source installation wizard runs on Microsoft Windows and Linuxoperating systems.

To start the installation:v Microsoft Windows: Run setup.exe

v Linux: Run setup.bin

v OS X: Open setup.dmg and then run the setup app

The wizard checks for network port availability. If it finds conflicts, you must exitthe installation. See “Port configuration” on page 114 for more details aboutrequired ports.

When you first launch the installation wizard, you are presented with a screen thatallows you to select the national language that will be displayed in the installationpanels. Select the language and click OK to proceed.

After you launch the installation wizard, the Welcome - Installation Wizard panelopens and recommends that you quit any open applications. Click Next to beginthe installation procedure (see “Installation and user data file locations” on page 57for information about installation file locations).


Note: If you have Rational AppScan Source Edition for Portfolio Manager Version7.0 installed and you are using the installation wizard to upgrade RationalAppScan Source Edition Version 7.0 to a higher version, the installation processwill cause Rational AppScan Source Edition for Portfolio Manager Version 7.0 to beremoved from your computer. It is recommended that you back up your RationalAppScan Source Edition database before proceeding with removal of this product(in the event that you need to reinstall Rational AppScan Source Edition forPortfolio Manager Version 7.0 at a later time, the database backup can be used toreinstate your Rational AppScan Source Edition Version 7.0).

The AppScan Source Version 8.x installation will prompt you before it removesRational AppScan Source Edition for Portfolio Manager Version 7.0 from yourcomputer. At that time, you will have the option of automatically creating abackup of the IBM solidDB that was installed with Rational AppScan SourceEdition. If you choose this option, the backup will be saved to<install_dir>\solidDB\com.ouncelabs.db.<timestamp> (where <install_dir> isthe location of your AppScan Source installation). For example, on Windows(32-bit), the backup will be saved to C:\Program Files\IBM\AppScanSource\solidDB\com.ouncelabs.db.<timestamp> by default.

If you are using an Oracle database for your data, you should manually back upthe database before attempting to upgrade to AppScan Source Version 8.x.Instructions for manually backing up databases can be found in “Backing up theAppScan Source Database” on page 72.

To restore a solidDB database, follow the instructions in “Restoring the AppScanSource IBM solidDB database” on page 73.

Installation and user data file locationsWhen you install AppScan Source, user data and configuration files are storedoutside of the installation directory.v “Default installation location”v “Default AppScan Source data directory” on page 58v “AppScan Source temporary file location” on page 58

Default installation location

When AppScan Source is installed, the software is placed in one of these defaultlocations:v 32-bit versions of Microsoft Windows:



v Linux: If you are the root user, the Installation Wizard installs your software in/opt/ibm/appscansource. If you are not the root user, you can install theAppScan Source for Development Eclipse plug-in - which installs to<home_directory>/AppScan_Source by default.


Important:

v The installation directory name can only contain English characters. Folders withnames containing non-English characters are not permitted.

Chapter 4. Advanced installation and activation topics 57

v If you are installing on Windows, you must have Administrator privileges toinstall AppScan Source components.

v If you are installing on Linux, you must have root privileges to install AppScanSource server components.

Default AppScan Source data directory

AppScan Source data consists of items such as configuration, sample, and log files.When AppScan Source is installed, data files are placed in these locations bydefault:v Microsoft Windows: <SYSTEMDRIVE>:\ProgramData\IBM\AppScanSource

Note: ProgramData\ is a hidden folder, and to see it you must modify your viewpreferences in Explorer to show hidden files and folders.

v Linux: /var/opt/ibm/appscansourcev OS X: /Users/Shared/AppScanSource

To learn how to change the location of the AppScan Source data directory, see“Changing the AppScan Source data directory.”

AppScan Source temporary file location

Some AppScan Source operations result in the creation of temporary files, whichare stored in these locations by default:v Microsoft Windows: <SYSTEMDRIVE>:\ProgramData\IBM\AppScanSource\temp

Note: ProgramData\ is a hidden folder, and to see it you must modify your viewpreferences in Explorer to show hidden files and folders.

v Linux: /var/opt/ibm/appscansource/tempv OS X: /Users/Shared/AppScanSource/temp

The temporary file location is always located in a temp directory in the AppScanSource data directory. You can change the temporary file location by changing thedata directory, as described in “Changing the AppScan Source data directory.” Thiswill cause the temp to be located in the data directory that you have chosen.

Changing the AppScan Source data directoryYou may want to change the location of the AppScan Source data directory for thepurpose of managing hard disk space. You can change the location after AppScanSource installation by following the steps in this topic.

Before you begin

Before completing this task, ensure that all AppScan Source client applicationshave been exited or shut down. AppScan Source client applications include:v AppScan Source for Analysisv AppScan Source for Development (Eclipse or Visual Studio plug-in)(supported

only on Windows and Linux)v AppScan Source command line interface (CLI)v AppScan Source for Automation

In addition, if you have installed AppScan Source for Automation, ensure that theAutomation Server has been shut down:


v On Windows, stop the IBM Security AppScan Source Automation service.v On Linux, issue this command: /etc/init.d/ounceautod stop

v On OS X, issue this command: launchctl stop com.ibm.appscan.autod

Procedure1. Define an APPSCAN_SOURCE_SHARED_DATA=<data_dir> environment variable,

where <data_dir> is the location in which you want AppScan Source data to bestored.

Note:

v The <data_dir> location must be a complete and absolute path that alreadyexists on the same machine as your AppScan Source installation.

v The <data_dir> directory name can only contain English characters. Folderswith names containing non-English characters are not permitted.

2. Locate the default data directory that was created when AppScan Source wasinstalled (see “Default AppScan Source data directory” on page 58 to learnabout default data directory locations).

3. Copy or move the contents of the default data directory to the <data_dir>location that is specified in the environment variable.

4. Applies only to AppScan Source for Automation installed on Linux:a. Edit the /etc/init.d/ounceautod file.b. Locate this line,

su - ounce -c’export LD_LIBRARY_PATH="/opt/IBM/AppScan_Source/bin":$LD_LIBRARY_PATH &&cd "/opt/IBM/AppScan_Source/bin" &&"/opt/IBM/AppScan_Source/bin/ounceautod" -s’ >>"/var/opt/ibm/appscansource/logs/ounceautod_output.log" 2>&1 &

and replace it with this:su - ounce -c’export APPSCAN_SOURCE_SHARED_DATA=<new data directory path here> &&export LD_LIBRARY_PATH="/opt/IBM/AppScan_Source/bin":$LD_LIBRARY_PATH &&cd "/opt/IBM/AppScan_Source/bin" &&"/opt/IBM/AppScan_Source/bin/ounceautod" -s’ >>"<new data directory path here>/logs/ounceautod_output.log" 2>&1 &

Note: The above command is one line.c. Save the /etc/init.d/ounceautod file.

What to do next

If you have installed AppScan Source for Automation, start the Automation Server:v On Windows, start the IBM Security AppScan Source Automation service.v On Linux, issue this command: /etc/init.d/unceautod start

v On OS X, issue this command: launchctl start com.ibm.appscan.autod

AppScan Enterprise Server overviewThe AppScan Enterprise Server is a separately-installable component that isrequired for AppScan Source usage. Each AppScan Source product and componentneeds to be able communicate with an AppScan Enterprise Server. The serverprovides centralized user management capabilities and a mechanism for sharingassessments via the AppScan Source Database. In addition, if your administratorhas installed the Enterprise Console component of the AppScan Enterprise Server,


you can publish assessments to it. The Enterprise Console offers a variety of toolsfor working with your assessments - such as reporting features, issue management,trend analysis, and dashboards.

To learn about the hardware and software required to run the AppScan EnterpriseServer, see http://www.ibm.com/support/docview.wss?uid=swg27027541.

Basic installation instructions are provided in the Chapter 3, “Sample installationscenarios,” on page 21. For detailed installation instructions, refer to the AppScanEnterprise Server Planning & Installation Guide.

When used with AppScan Source, the AppScan Enterprise Server requires an IBMsolidDB database server that you have installed with the AppScan Sourceinstallation wizard - or an existing Oracle database server that has AppScan Sourceschema and data applied by the AppScan Source installation wizard.

Important: If the AppScan Enterprise Server that you will connect to is enabled forNIST 800-131a compliance, you must set AppScan Source to force Transport LayerSecurity V1.2. If Transport Layer Security V1.2 is not forced, connections to theserver will fail.v If you are not installing the AppScan Source Database (for example, you are

only installing client components), you can force Transport Layer Security V1.2by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is thelocation of your AppScan Source program data, as described in “Installation anduser data file locations” on page 57)). In this file, locate this setting:<Setting

name="tls_protocol_version"read_only="false"default_value="0"value="0"description="Minor Version of the TLS Connection Protocol"type="text"display_name="TLS Protocol Version"display_name_id=""available_values="0:1:2"hidden="false"force_upgrade="false"

/>

In the setting, change value="0" to value="2" and then save the file.v If you are installing the AppScan Source Database, you force Transport Layer

Security V1.2 in the IBM Security AppScan Enterprise Server DatabaseConfiguration tool after installing both AppScan Source and the EnterpriseServer.

To learn about the IBM Security AppScan Enterprise Server Database Configurationtool, see “Registering the AppScan Source Database with AppScan EnterpriseServer” on page 70.

Installing the database and configuring connections to AppScanEnterprise Server

AppScan Source requires an IBM solidDB database server that you have installedwith the AppScan Source installation wizard - or an existing Oracle database serverthat has AppScan Source schema and data applied by the AppScan Sourceinstallation wizard. The database persists AppScan Source Security Knowledgebasedata, assessment data, and application/project inventory - and your options fordatabase server installation and configuration are outlined in this topic.



Important: When scanning, AppScan Enterprise Server and AppScan Source clients(except AppScan Source for Development) both require a direct connection to theAppScan Source Database (either solidDB or Oracle).

Note: AppScan Source server components, such as the AppScan Source Database,are not supported on OS X.

Install and configure solidDB

During the installation process, you install the database and specify solidDB loginsettings so that AppScan Enterprise Server can connect to the database. To learnhow to install for this scenario, see “Install and configure IBM solidDB.”

Install to an existing Oracle database

Apply the AppScan Source Database schema and data to an existing Oracledatabase. During the installation process, you specify Oracle database loginsettings so that AppScan Enterprise Server can connect to the database. To learnhow to install for this scenario, see “Install to an existing Oracle database” on page65.

Install and configure IBM solidDB

About this task

This task topic describes the procedure for installing and configuring solidDB andthe AppScan Enterprise Server.

Procedure1. Install the AppScan Enterprise Server according to the installation instructions

provided with it. See “AppScan Enterprise Server overview” on page 59 tolearn more about the server.







v I will install a compatible local instance of AppScan Enterprise servernow: This option displays if a non-compatible version of AppScan


Enterprise Server has been detected on the machine. If you intend oninstalling a compatible version of the Enterprise Server on this machine,select this option and click Next. The next installation panel will guide youthrough Enterprise Server download options.













Important:






installation in the Server Component Selection page, the database selectionpanel displays. In this page, select the Install solidDB radio button and thenclick Next to advance to the next installation panel.




Note:







12. Review the summary of installation options before proceeding. If you want tochange your selections, click Previous to return to the previous pages. Whenyou are satisfied with your installation choices, click Install. The installercopies files to the hard disk drive.For Linux server installations only: After copying files, you must identify thedaemon user. Select Create User 'ounce' or Run with Existing User, either to


create the default user, ounce, or run with an existing user. (The installationvalidates that the user exists. Note that the selected user must have a validshell.)During the installation, clicking Cancel at any time results in theuninstallation of all components.














Install to an existing Oracle databaseThis task topic describes the procedure for installing the AppScan Source Databaseschema and data to an existing Oracle database. In order to create the Oracleschema, the AppScan Source installer must be run on the same machine on whichthe Oracle database is installed - or on a machine where the full Oracle client isinstalled (the installer must be able to access the Oracle sqlplus and sqlldrutilities).

Procedure1. Install the AppScan Enterprise Server according to the installation instructions

provided with it. See “AppScan Enterprise Server overview” on page 59 tolearn more about the server.











ID.


When the server settings have been entered, click Test Connection toensure that the server will be available for connection to AppScan Source.









Important:





installation in the Server Component Selection page, the database selectionpanel displays. In this page, select the Install database into existing Oracle11g Server radio button and then click Next to advance to the next installationpanel.

8. If the IBM Security AppScan Source Database component was selected forinstallation in the Server Component Selection page - and Install databaseinto existing Oracle 11g Server was selected in the Database selection page -the Oracle Database Server panel displays. In this page, specify:v Oracle Home: Specify the location of your Oracle installation.v Oracle TNS Location: This is the location where the tnsnames.ora file is

located. By default, this is <oracle_home>\network\admin (where<oracle_home> is the location of your Oracle installation.


v Oracle Service Name/SID: Specify the connection string or TNS Alias, forexample //<hostname>:<port>/<OracleServiceName>. Specifying a TNS Aliasrequires AppScan Enterprise Server configuration. See “Oracle TNS Aliasconfiguration” on page 70 for details.

v System User Name: Specify the Oracle user that will be used to performthe installation. This user name must have authority to create other users.The default value is system

v System Password: Specify the password for the System User Name user.v Test Connection: Click this button to verify that the database settings and

credentials that have been provided are correct.v AppScan User Name: Specify the AppScan Source Database user to create.

The default value is ounce.v AppScan Password: Specify the password for the AppScan User Name

user. The default value is ounce.v Direct Data Load check box: If selected, the initial AppScan Source data

will be loaded via Oracle Direct Load. This check box is selected by default.v Sysdba User: If the Direct Data Load check box is selected, specify a user

with sysdba privileges. The default value is sysdba.v Sysdba Password: Specify the password for Sysdba User.v Path to SqlPlus: Specify the path on disk to the sqlplus executable. This

will be used to run sql scripts during the installation. The default value issqlplus. An absolute path is not necessary if the sqlplus executable existson the system path.

v Path to Sqlldr: Specify the path on disk to the sqlldr executable. This willbe used to load data during the installation. The default value is sqlldr. Anabsolute path is not necessary if the sqlldr executable exists on the systempath.

Important: After the installation completes with these settings, a new schemaand AppScan Source Database user is automatically installed to your Oracledatabase. The AppScan Source Database user does not need to be createdmanually.

Note:

v After completing an installation that includes the installation of theAppScan Source Database schema and data to an existing Oracle database,please see <data_dir>\logs\core_exceptions.log (where <data_dir> is thelocation of your AppScan Source program data, as described in “Installationand user data file locations” on page 57) to verify that no installation errorsoccurred.

v If you are connecting the AppScan Enterprise Server to an Oracle database,you must set the character set to UTF-8 when creating the database (this istypically not the default character set).

v The AppScan Source installation requires, but does not install, the OracleInstant Client (OCI) libraries. See “Installing the Oracle Client (OCI)libraries” on page 69 for more information.

v If you specify a TNS Alias as the Oracle Connection String, you may seethis error in the core_exceptions.log file: Unable to process the databasetransaction. Error: ORA-12154 (the message may be accompanied by errortext from the Oracle database). To resolve this, complete one of these tasks:– Copy the Oracle tnsnames.ora file to <install_dir>\bin (where

<install_dir> is the location of your AppScan Source installation).


– Open <data_dir>\config\ounce.ozsettings (where <data_dir> is thelocation of your AppScan Source program data, as described in“Installation and user data file locations” on page 57). In the file, locatethe tns_admin setting and change its value to point to the directory thatcontains the Oracle tnsnames.ora file. Save the changes to the file.



















Installing the Oracle Client (OCI) librariesThe AppScan Source installation does not install the Oracle Client (OCI) libraries. Ifyou are deploying AppScan Source using an Oracle database, every client machinerunning AppScan Source products must have an Oracle client installed in order tocommunicate with the database. To use an Oracle client you already have installed,you must ensure that the client libraries can be found by AppScan Source,according to the instructions in this topic. After the installation is complete, if yousee a connection error in <data_dir>\logs\scanner_exceptions.log (on Windows)or <data_dir>/logs/scanner_exceptions.log (on Linux) (where <data_dir> is thelocation of your AppScan Source program data, as described in “Installation anduser data file locations” on page 57), this may be because the Oracle Clientlibraries cannot be found. On Linux, this error will state that libclntsh.so couldnot be found. On Windows, it will state that ociw32.dll could not be found.

If you do not have an existing Oracle client installation, the Oracle Client can bedownloaded from http://www.oracle.com/technology/tech/oci/instantclient/index.html.

In order to create the Oracle schema, the AppScan Source installer must either berun on the same machine on which the Oracle database is installed, or on amachine on which the full Oracle client is installed. This is required so that theinstaller can access the Oracle sqlplus and sqlldr utilities.

On Linux

If it does not already exist on your system, you need to create a symbolic link inthe $Oracle_Home\lib directory. This link should be called libclntsh.so, andshould point to a specific version of this file. For example:v Oracle Version 11 client: lrwxrwxrwx 1 oracle oracle 63 Oct 2 14:16

libclntsh.so -> /u01/app/oracle/home/lib/libclntsh.so.11.1


http://www.oracle.com/technology/tech/oci/instantclient/index.html

http://www.oracle.com/technology/tech/oci/instantclient/index.html

v Oracle Version 10 client: lrwxrwxrwx 1 oracle oracle 63 Oct 2 14:16libclntsh.so -> /u01/app/oracle/home/lib/libclntsh.so.10.1

In addition, the directory containing libclntsh.so must be included in your$LD_LIBRARY_PATH prior to running the installer.

You may also need to set values for the NLS_LANG and ORA_NLS10 (or ORA_NLS11)environment variables. For example:export NLS_LANG=AMERICAN_AMERICA.AL32UTF8export ORA_NLS10=$ORACLE_HOME/nls/data

See your Oracle documentation for information about these variables.

Automation Server: If you are using the AppScan Source for Automation server,you may have to edit the /etc/init.d/ounceautod start script to ensure that theOracle client libraries are included in the $LD_LIBRARY_PATH for the user account ofthe ounceautod daemon.

On Windows

The %ORACLE_HOME%/bin directory must be included in your PATH environmentvariable.

Oracle Instant Client

The Oracle Instant Client is only supported when you are connecting to an existingOracle database that has AppScan Source schema applied.v On Linux: The libclntsh.so symbolic link should be created in the same

directory as your Oracle Instant Client libraries and this directory should beincluded in $LD_LIBRARY_PATH.

Note: When using the Basic Lite version of the Oracle Instant Client, you shouldnot set the ORA_NLS10 (or ORA_NLS11) variable.

v On Windows: Ensure the Oracle Instant Client .dll files can be found in yourPATH.

Oracle TNS Alias configurationWhen configuring the connection to an Oracle database during AppScan Sourceinstallation, you can use a TNS Alias instead of an Oracle Connection String.Doing this requires AppScan Enterprise Server configuration, as outlined in thistopic.

About this task

For information, please see the Configuring an AppScan Source Oracle database withAppScan Enterprise Server topic at http://www.ibm.com/support/knowledgecenter/SSW2NF/welcome.

Registering the AppScan Source Database with AppScanEnterprise Server

During AppScan Source installation, if valid settings have been entered, theAppScan Source Database should automatically be registered with the server.However, in the event that database registration does not complete or succeed,follow the instructions in this topic for completing the registration.


http://www.ibm.com/support/knowledgecenter/SSW2NF/welcome

http://www.ibm.com/support/knowledgecenter/SSW2NF/welcome

AppScan Source includes a utility that allows you to register the database with theserver. The tool is <install_dir>\bin\appscanserverdbmgr.bat (where<install_dir> is the location of your AppScan Source installation) - or<install_dir>/bin/appscanserverdbmgr.sh on Linux. If you are havingdatabase/server connection problems, this tool can be run at a command prompt(after the server and client components have been installed) with these parameters:

Table 2. appscanserverdbmgr.bat parameters

Parameter Description

IBM Security AppScanEnterprise Server DatabaseConfiguration graphicaluser interface equivalent

None Launches a graphical userinterface that allows you toenter and validate yourAppScan Enterprise Serverand AppScan SourceDatabase configurationinformation, as describedbelow.

-s URL for your AppScanEnterprise Server instance.For example,https://localhost:9443/asc/.

Server URL

-u AppScan Enterprise Serverand AppScan SourceDatabase User ID.

User ID

-p Password for your AppScanEnterprise Server andAppScan Source DatabaseUser ID.

Password

-forceTLSv12 Specify true with this settingonly if your AppScanEnterprise Server is enabledfor NIST 800-131acompliance (failing to do thiswill cause server connectionsto fail). If your AppScanEnterprise Server is notenabled for NIST 800-131acompliance, specify falsewith this setting.

Force TLSv1.2

-dbClient Specify 1 if your AppScanSource Database is IBMsolidDB. Specify 2 if it isOracle.

IBM SolidDB or Oracle


Table 2. appscanserverdbmgr.bat parameters (continued)

Parameter Description

IBM Security AppScanEnterprise Server DatabaseConfiguration graphicaluser interface equivalent

-dbConnString Database connection string(for example, "Driver={IBMsolidDB 7.0 32-bit -(ANSI)}").

If you are running an Oracledatabase, you can specify aTNS alias, if you haveconfigured the serveraccording to “Oracle TNSAlias configuration” on page70.

Connection String

-dbConnInfo Database connectioninformation (for example,"tcpmyhostname.mydomain.com2315").Note: If localhost isspecified rather than afully-qualified host name,only the user of the localmachine will be able toconnect to the database.

Connection Info

-dbUserid User ID for your databaseuser account.

Database User ID

-dbPassword Password for your databaseuser account user ID.

Password

If you are using the graphical user interface, click Validate Connection aftercompleting all entries in the AppScan Enterprise Server section. Once the entrieshave been validated, complete the entries in the AppScan Source Database sectionand click Validate Connection. When the database entries are validated, clickApply changes to register the database with the server.

Backing up the AppScan Source DatabaseIt is recommended that you protect yourself from loss of data in the AppScanSource Database by following routine backup procedures. You should back up theAppScan Source Database before upgrading to a new version or removing aprevious version of AppScan Source.

To back up an Oracle database, contact the Oracle database administrator.

To learn how to manually back up and restore the IBM solidDB database, consultthe IBM solidDB Administrator Guide that is referenced in http://www.ibm.com/support/docview.wss?rs=3457&uid=swg27017392.

Note: If you are upgrading AppScan Source Version 7.0 to Version 8.5, you willhave the option of automatically creating a backup of solidDB that was installedwith AppScan Source before removal of Rational AppScan Source Edition forPortfolio Manager Version 7.0 from your computer. If you choose this option, the


http://www.ibm.com/support/docview.wss?rs=3457&uid=swg27017392

http://www.ibm.com/support/docview.wss?rs=3457&uid=swg27017392

backup will be saved to <install_dir>\solidDB\com.ouncelabs.db.<timestamp>(on Windows) or <install_dir>/solidDB/com.ouncelabs.db.<timestamp> (onLinux) (where <install_dir> is the location of your AppScan Source installation).For example, on Windows (32-bit), the backup will be saved to C:\ProgramFiles\IBM\AppScan Source\solidDB\com.ouncelabs.db.<timestamp> by default.

Restoring the AppScan Source IBM solidDB databaseTo restore a solidDB database that you have backed up, follow the instructions inthis task topic.

Procedure1. Stop the IBM Security AppScan Source DB service.2. Locate <install_dir>\soliddb\logs (on Windows) or <install_dir>/soliddb/

logs (on Linux) (where <install_dir> is the location of your AppScan Sourceinstallation). Delete all files in that directory.

3. Copy the database backup to <install_dir>\solidDB\appscansrc (on Windows)or <install_dir>/solidDB/appscansrc (on Linux).

4. Start the IBM Security AppScan Source DB service.

Installing AppScan Source on OS XThis topic describes how to install the setup app on OS X.

Procedure1. Start the installation wizard.2. Installation on OS X requires an administrator password. To enter the

administrator password, click the lock icon in the Authentication panel.3. You are presented with a screen that allows you to select the national

language that will be displayed in the installation panels. Select the languageand click OK to proceed.












6. In the Installation Target Specification page, specify the installation directory.The default directory is /Applications/AppScanSource.app on OS X.

Important:


Click Next to advance to the next installation panel.7. If the AppScan Source for Automation component was selected for

installation, the IBM Security AppScan Source for Automation Configurationpanel displays. In this page, specify:v Host Name: The host name or IP address of the AppScan Enterprise Server

to which the Automation Server will connect.v User Name: The AppScan Source user that the Automation Server uses to

process requests.v Password: AppScan Source user's password.v Confirm Password: Confirm the password.Click Next to advance to the next installation panel.

Note: If you do not specify a user name and password during installation,you must configure AppScan Source for Automation after installation to runas an AppScan Source user by specifying login credentials from the commandline. See the IBM Security AppScan Source Utilities User Guide for moreinformation.

8. In the language pack selection panel, choose the language packs to install.When you install a language pack, the AppScan Source user interface willdisplay in that language when it runs on an operating system that is runningthat locale.By default, English is selected (and cannot be deselected). If the installationwizard is displaying a national language other than English (in other words, alanguage other than English was selected in the installation wizard welcomepanel), that language will also be selected in this panel (however, it can bedeselected).After you have selected the language packs that you want to install, clickNext to advance to the next installation panel.



10. Review the summary of installation options before proceeding. If you want tochange your selections, click Previous to return to the previous pages. Whenyou are satisfied with your installation choices, click Install. The installercopies files to the hard disk drive.


For Linux server installations only: After copying files, you must identify thedaemon user. Select Create User 'ounce' or Run with Existing User, either tocreate the default user, ounce, or run with an existing user. (The installationvalidates that the user exists. Note that the selected user must have a validshell.)During the installation, clicking Cancel at any time results in theuninstallation of all components.






Results

If you installed AppScan Source for Automation and the user account that youspecified for it in the Configuration installation panel does not already exist, youwill need to create it manually (post-installation) with the AppScan EnterpriseServer, AppScan Source for Analysis, or the AppScan Source command lineinterface (CLI). For complete access to AppScan Source for Automation capabilities,this user account requires these permissions:v Application and Project Management

– Register– Scan

v Assessment Management– Save Assessments– Publish Assessments

Important: After installing on OS X, AppScan Source may fail to launch if thesystem host name cannot be resolved. In this case, you may receive a message thatincludes this warning:WARNING: "IOP00710208: (INTERNAL) Unable to determine local

hostname from InetAddress.getLocalHost().getHostName()"

This occurs because AppScan Source relies on interprocess communication,requiring that localhost and your system host name can be resolved to an IPaddress.

To resolve this, ensure that localhost and your system host name can be resolvedusing the nslookup Terminal command. If they cannot be resolved, one way toensure that they can is to modify your /etc/hosts file to include them. In the/etc/hosts file,v Include a mapping of your host name to 127.0.0.1v Include a mapping of localhost to 127.0.0.1


Installing AppScan Source for DevelopmentThe AppScan Source for Development plug-ins are installed to your computer viathe standard AppScan Source installation wizard.

If you are upgrading the AppScan Source product to a new product version andwant to apply the upgrade to the AppScan Source for Development Eclipseplug-ins, you must first uninstall the plug-ins from your Eclipse or Eclipse-basedproduct. After you have upgraded AppScan Source, you can then install theupdated plug-ins back to Eclipse or supported Eclipse-based products. Instructionsfor this are located in “Upgrading previously-installed versions of the AppScanSource for Development Eclipse plug-in to a new product version” on page 79.

If you are upgrading the AppScan Source product as part of a fix pack upgrade,you do not need to uninstall the plug-ins before upgrading. Instructions forinstalling fix packs (and applying upgraded AppScan Source for Developmentplug-ins) can be found in “Fix pack installation” on page 84.

AppScan Source for Development (plug-in for Eclipse, IBMWorklight, and Rational Application Developer for WebSphereSoftware (RAD))

If you are installing the AppScan Source for Development plug-in for Eclipse orRational Application Developer for WebSphere Software (RAD), you will need toapply the plug-ins to your workbench after installing them to your computer.

The application of the AppScan Source for Development Eclipse plug-in dependson the application of some Eclipse tools (the Graphical Editing Framework (GEF)and Draw2d). Most versions of Eclipse that are supported by AppScan Source forDevelopment include these features. If yours does not, install these componentsinto your Eclipse environment using the appropriate eclipse.org update sitebefore installing AppScan Source for Development. Failure to do this may result inerrors while applying the AppScan Source for Development plug-in to Eclipse.

If you are upgrading the AppScan Source product to a new product version andwant to apply the upgrade to theAppScan Source for Development Eclipseplug-ins, you must first uninstall the plug-ins from your Eclipse or Eclipse-basedproduct. After you have upgraded AppScan Source, you can then install theupdated plug-ins back to Eclipse or supported Eclipse-based products. Instructionsfor this are located in “Upgrading previously-installed versions of the AppScanSource for Development Eclipse plug-in to a new product version” on page 79.

If you are upgrading the AppScan Source product as part of a fix pack upgrade,you do not need to uninstall the plug-ins before upgrading. Instructions forinstalling fix packs (and applying upgraded AppScan Source for Developmentplug-ins) can be found in “Fix pack installation” on page 84.

Note:

Attempts to run some actions in AppScan Source for Development (Eclipseplug-in) (for example, launching a scan or starting actions that require a login) canresult in this error message (or one that is similar to it):Unable to link native library shared-win32-x64.dll.You may need to install an appropriate Microsoft Visual C++2010 Redistributable Package for your system.


When running on a 64-bit Java Runtime Environment, this typically indicates thatthe 64-bit Microsoft Visual C++ runtime library is unavailable. To resolve thisproblem, install the Microsoft Visual C++ 2010 Redistributable Package, available athttp://www.microsoft.com/en-ca/download/details.aspx?id=14632.

Installing the plug-in for Eclipse and Rational ApplicationDeveloper for WebSphere Software (RAD)

About this task

The AppScan Source Client installation includes the AppScan Source forDevelopment plug-in for Eclipse and Rational Application Developer forWebSphere Software (RAD) components. The installation also requires EclipseUpdates and the addition of the plug-in to your development environment.

Procedure1. Start the installation wizard.2. Select AppScan Source for Development for Eclipse, RAD, Worklight from

the list of client components.Click Next advance to the next installation panel.

Important: After the AppScan Source for Development plug-in installation, youmust update the features from the Eclipse or Application Developer IDE.


Note: If you do not install a specific language pack, you will not be able to addthat language post-installation.


5. Review the summary of installation options before copying files. Click Install.The installer copies files to the hard disk drive.

Applying the AppScan Source for Development (Eclipse plug-in)to Eclipse and supported Eclipse-based productsEclipse and Eclipse-based products include a feature that allows you to install newsoftware. You can use the feature to update your installation or browse to plug-insthat you want to add to your installation. The instructions in this topic guide youthrough the application of the AppScan Source for Development plug-in to EclipseVersions 3.6, 3.7, 3.8, 4.2, 4.2.x, 4.3, 4.3.1, and 4.3.2 and RAD Versions 8.0.x, 8.5,8.5.1, 9.0, and 9.0.1 on Windows and Linux or RAD Versions 9.0 and 9.0.1 on OS X.

Procedure1. Select Help > Install New Software from the main workbench menu bar.2. In the Install dialog box Available Software page, click Add.


http://www.microsoft.com/en-ca/download/details.aspx?id=14632

3. In the Add Site dialog box (in some versions of Eclipse, the dialog box isnamed Add Repository), specify a name for the update site in the Name field.

4. Follow these instructions for adding a site, depending on your operatingsystem:a. Windows and Linux: Click Local. In the Browse for Folder dialog box,

navigate to the AppScan Source installation directory (see “Defaultinstallation location” on page 57). Click OK to return to the Add Site dialogbox and then click OK to add the update site.

b. OS X: In the Location field, enter file:/Applications/AppScanSource.app/and then click OK to add the update site.

5. The new site appears in the list. Complete this page according to yourinstallation scenario:v Applying the plug-ins after a full product installation: Select the check box

next to the IBM Security AppScan Source Security Analysis Feature localsite.The application of the AppScan Source for Development Eclipse plug-independs on the application of some Eclipse tools (the Graphical EditingFramework (GEF) and Draw2d). Most versions of Eclipse that are supportedby AppScan Source for Development include these features. If yours doesnot, install these components into your Eclipse environment using theappropriate eclipse.org update site before installing AppScan Source forDevelopment. Failure to do this may result in errors while applying theAppScan Source for Development plug-in to Eclipse.

v Applying the plug-ins after a fix pack installation:

– If you are applying the plug-ins to a development environment to whichyou had already applied previous versions of the plug-ins, select the checkbox next to the IBM Security AppScan Source Security Analysis Featurelocal site.

– If you are applying the plug-ins to a development environment that doesnot already include the plug-ins, follow the above instructions forApplying the plug-ins after a full product installation.

Note: The IBM Security AppScan Source Security Analysis Feature localsite should include a client feature for the fix pack version that you areapplying. If this feature is not present, it may be necessary to refresh orrecreate the local site.

Click Next to proceed to the next Install panel.6. In the Install Details page, review the items to be installed and then click Next.7. In the Review Licenses page, accept the license agreement and then click

Finish.8. When prompted, restart Eclipse. The Security Analysis menu appears after the

installation completes. The first time you attempt to use an AppScan Sourceaction, a message will open asking if you want to use an AppScan EnterpriseServer. If you do not use a server, you cannot access shared items such asfilters, scan configurations, and custom rules. This setting can be changed laterin the General Preferences.

Additional AppScan Source for Development installationrequirementsThe AppScan Source for Development Eclipse plug-in requires additionalconfiguration.1. The AppScan Source for Development plug-in for Eclipse requires a Java

Runtime Environment (JRE) that is Version 1.5 or higher. If your environment


points to a JRE that does not meet this requirement, edit the eclipse.ini file inthe Eclipse installation directory so that it points to a JRE that does meet thisrequirement. For information about making this change to the eclipse.ini file,see the Specifying the JVM section of http://wiki.eclipse.org/Eclipse.ini.

2. The AppScan Source for Development plug-in for Eclipse on Linux (Eclipse orRAD) requires that you add the AppScan Source installation directory to theLD_LIBRARY_PATH. For example, if you use the bash shell, add this line to the~/.bashrc initialization:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/ibm/appscansource

Upgrading previously-installed versions of the AppScan Sourcefor Development Eclipse plug-in to a new product versionTo upgrade the AppScan Source for Development Eclipse plug-in to a new productversion, you must remove or disable the current plug-ins from the computer andthen install the newer version.

About this task

This task describes the process for upgrading various levels of Eclipse and RationalApplication Developer for WebSphere Software (RAD) to apply the AppScanSource for Development Eclipse plug-in (full product installation).

Important: This topic does not apply to fix pack upgrades. If you are upgradingthe AppScan Source product as part of a fix pack upgrade, you do not need touninstall the plug-ins before upgrading. Instructions for installing fix packs (andapplying upgraded AppScan Source for Development plug-ins) can be found in“Fix pack installation” on page 84.

Upgrading Eclipse and Rational Application Developer for WebSphere Software(RAD):Procedure

1. Depending on the workbench that you are running, select Help > About<product name> from the main workbench menu bar (where <product name>is the name of the Eclipse-based product that you are upgrading).

2. In the About dialog box, click Installation Details.3. In the Details dialog box, multiselect the components that were added for the

previously-installed version of AppScan Source.4. Click Uninstall.5. When the uninstall procedure completes, restart the workbench if prompted.6. Follow the steps in “Applying the AppScan Source for Development (Eclipse

plug-in) to Eclipse and supported Eclipse-based products” on page 77 forapplying the new developer plug-ins.

7. Optional: Follow the steps in “Applying the AppScan Source for Development(Eclipse plug-in) quality component to Eclipse and supported Eclipse-basedproducts” on page 80 for applying the optional quality component.

AppScan Source for Development (plug-in for Eclipse andRational Application Developer for WebSphere Software (RAD)) -Optional Quality componentAfter installing the AppScan Source for Development plug-in for Eclipse orRational Application Developer for WebSphere Software (RAD) on Windows orLinux, you can choose to install an optional quality analysis component whichprovides a rich set of analysis rules for code review, software metrics, and dataflow analysis.


http://wiki.eclipse.org/Eclipse.ini

Note: Quality scanning is not supported on OS X.

The AppScan Source for Development quality component must be installed afterinstalling the security analysis component.

The application of the AppScan Source for Development quality componentrequires installation of the Eclipse development platform and the application ofEclipse CDT. Ensure that these requirements are fulfilled before installing theAppScan Source for Development quality component. Failure to do this may resultin errors while applying the AppScan Source for Development quality componentto Eclipse.

Applying the AppScan Source for Development (Eclipse plug-in) qualitycomponent to Eclipse and supported Eclipse-based products:

The AppScan Source for Development (Eclipse plug-in) quality component isapplied in the same manner as the security component.

Procedure

1. Select Help > Install New Software from the main workbench menu bar.2. In the Install dialog box Available Software page, click Add.3. In the Add Site dialog box, specify a name for the update site in the Name

field and then click Local.

Note: In some versions of Eclipse, the dialog box is named Add Repository.4. In the Browse for Folder dialog box, navigate to <install_dir>\quality (where

<install_dir> is the location of your AppScan Source installation). Click OK toreturn to the Add Site dialog box and then click OK to add the update site.

5. The new site appears in the list. Complete this page according to yourinstallation scenario:v Applying the plug-ins after a full product installation: Select the check box

next to the AppScan Source Quality Analysis local site to ensure that allrequired component check boxes are selected.The application of the AppScan Source for Development quality componentrequires installation of the Eclipse development platform and the applicationof Eclipse CDT. Ensure that these requirements are fulfilled before installingthe AppScan Source for Development quality component. Failure to do thismay result in errors while applying the AppScan Source for Developmentquality component to Eclipse.

v Applying the plug-ins after a fix pack installation:

– If you are applying the plug-ins to a development environment to whichyou had already applied previous versions of the plug-ins, select the checkbox next to the AppScan Source Quality Analysis local site to ensure thatall of required component check boxes are selected.

– If you are applying the plug-ins to a development environment that doesnot already include the plug-ins, follow the above instructions forApplying the plug-ins after a full product installation.

Note: The AppScan Source Quality Analysis local site should include aclient feature for the fix pack version that you are applying. If this feature isnot present, it may be necessary to refresh or recreate the local site.

Click Next to proceed to the next Install panel.6. In the Install Details page, review the items to be installed and then click Next.


http://eclipse.org/cdt/

http://eclipse.org/cdt/

7. In the Review Licenses page, accept the license agreement and then clickFinish.

8. When prompted, restart Eclipse.

Installing the AppScan Source for Development plug-in forVisual Studio

About this task

Important: You must have Visual Studio 2008, Visual Studio 2010, or Visual Studio2012 installed on your computer before installing the AppScan Source forDevelopment plug-in for Visual Studio. The AppScan Source for Developmentplug-in for Visual Studio is only supported on Windows.

If the AppScan Source setup wizard finds an installed version of one of theseversions of Visual Studio, the AppScan Source for Development plug-in for thatVisual Studio version appears as an installation option.

Procedure1. Ensure that Visual Studio is closed. If Visual Studio is running during the

AppScan Source for Development installation, it will need to be restarted whenthe installation is complete.

2. Start the installation wizard.3. Select the appropriate version of the plug-in from the list of client components:

v AppScan Source for Development for Visual Studio 2008



Note:

v These options are only available for the version of Visual Studio that hasbeen installed on the machine that is running the installation wizard. Forexample, if Visual Studio 2008 and Visual Studio 2010 are on the clientmachine, but Visual Studio 2012 is not, only options for installing AppScanSource for Development for Visual Studio 2008 and AppScan Source forDevelopment for Visual Studio 2010 will be available in the installationwizard.

v You can choose to install the plug-in for multiple versions of Visual Studio, ifthey have been detected by the installation wizard.

Click Next advance to the next installation panel.4. In the language pack selection panel, choose the language packs to install.





6. Review the summary of installation options before copying files. Click Install.The installer copies files to the hard disk drive.

Installing AppScan Source for Automation

About this task

AppScan Source for Automation is an optional component in the installationpackages.

Important: To install AppScan Source for Automation, you must haveroot/administrator privileges.

Procedure1. Start the installation wizard.2. Select Server Component Selection and then select AppScan Source for

Automation as the component to install.Click Next advance to the next installation panel.

3. Specify the installation directory.v 32-bit versions of Microsoft Windows:




v OS X: /Applications/AppScanSource.appClick Next advance to the next installation panel.

4. In the IBM Security AppScan Source for Automation Configuration panel,specify:v Host Name: The host name or IP address of the AppScan Enterprise Server

to which the Automation Server will connect.v User Name: The AppScan Source user that the Automation Server uses to

process requests.v Password: AppScan Source user's password.v Confirm Password: Confirm the password.Click Next to advance to the next installation panel.

Note: If you do not specify a user name and password during installation, youmust configure AppScan Source for Automation after installation to run as anAppScan Source user by specifying login credentials from the command line.See the IBM Security AppScan Source Utilities User Guide for more information.





7. Review the summary of installation options before copying files.8. The installation requests the following:

v AppScan Enterprise Server: The host name or IP address of the AppScanEnterprise Server to which AppScan Source for Automation will connect.

v User Name: The AppScan Source user that AppScan Source for Automationwill use to process requests.

v Password: The password for the user specified in the User Name field.v Confirm Password: Confirm the password.

9. Click Next to install the files, and then click Done to complete the installation.

Results

If the AppScan Source user account does not already exist, you will need to specifyit in the AppScan Source for Automation Configuration installation panel and thencreate it manually (post-installation) with the AppScan Enterprise Server, AppScanSource for Analysis, or the AppScan Source command line interface (CLI). Forcomplete access to AppScan Source for Automation capabilities, this user accountrequires these permissions:v Application and Project Management

– Register– Scan

v Assessment Management– Save Assessments– Publish Assessments

Syntax

On Windows: <install_dir>\bin\ounceautod.exe -u <user name> -p <password>--persist

On Linux and OS X: <install_dir>/bin/ounceautod -u <user name> -p<password> --persist

Where:v <install_dir> is the location of your AppScan Source installation.


v -u <user name> is the AppScan Source user with which the Automation Serverauthenticates when processing a request. The user must be created with therequired permissions.

v -p <password> is the user's password. If you specify a user name, you mustspecify the password.

v --persist preserves the login credentials on disk. Creates an encrypted key filewith the specified user name and password.

After you specify the user name and password, you can start the AutomationServer:v On Windows, start the IBM Security AppScan Source for Automation service.v On Linux, start the daemon by issuing this command: /etc/init.d/ounceautod

start

v On OS X, issue this command: launchctl start com.ibm.appscan.autod

Fix pack installationAppScan Source fix packs are delivered by delta installer. To apply an AppScanSource fix pack, follow the instructions in this help topic.

About this task

Important: You cannot create a custom installation with the fix pack installer.

Procedure1. Download and launch the fix pack installation executable file:

v Microsoft Windows:– Run setup.exe to launch the installation wizard.– To run the installation silently, issue setup.exe -i silent

-D$LICENSE_ACCEPTED$="true" at a command prompt, where:- The -i silent parameter is used to indicate that the installation will

run silently.- The -D$LICENSE_ACCEPTED$="true" parameter indicates that you accept

the product license.v Linux: From a command prompt,

– Issue the setup.bin command to launch the installation wizard.– To run the installation silently, issue setup.bin -i silent

-D$LICENSE_ACCEPTED$="true", where:- The -i silent parameter is used to indicate that the installation will

run silently.- The -D$LICENSE_ACCEPTED$="true" parameter indicates that you accept

the product license. Note that, depending on the shell being used to runthe installation, this parameter may need to be escaped by issuing-D\$LICENSE_ACCEPTED\$="true".

v OS X: Open setup.dmg and then run the setup app.

Note: Silent installation of fix packs is not supported on OS X.If you are installing with the installation wizard, complete the remaining steps.

2. When you first launch the installation wizard, you are presented with a screenthat allows you to select the national language that will be displayed in theinstallation panels. Select the language and click OK to proceed.


3. Read the Welcome - Installation Upgrade Wizard panel, heeding anyrecommendations that it contains. Click Next to proceed.

4. In the Setup Confirmation panel, review the installation information summarybefore proceeding, and then click Install to apply the fix pack.

5. If you are upgrading an installation that included the AppScan SourceDatabase, a database update installation panel will display (if the fix packincludes a database upgrade). In this panel, enter the credentials for thedatabase user account and then click Start. When the database upgrade iscomplete, click Next.

Note:

v Upgrading solidDB: During the database upgrade, a backup of the existingdatabase is created. If the database upgrade fails, the installer will revert tothe backup and allow you to start the database upgrade again (if there areproblems with the existing database that prevent the upgrade, you canrestart the database upgrade after resolving the problems).

v Upgrading Oracle: If the database upgrade fails, the installer will allow youto start the database upgrade again (if there are problems with the existingdatabase that prevent the upgrade, you can restart the database upgradeafter resolving the problems).

6. Review any messages in the Installation Complete panel and then click Done.It is recommended that you restart your system after the installation iscomplete.

What to do next

On Windows or Linux, if your development environment includes the AppScanSource for Development Eclipse plug-ins, you will need to apply the plug-ins toyour workbench after installing the fix pack. Instructions for doing this can befound in this topic:v “Applying the AppScan Source for Development (Eclipse plug-in) to Eclipse and

supported Eclipse-based products” on page 77


Chapter 5. Customizing the AppScan Source installation

You can customize the installation for the purpose of creating a custom installationwizard - or you can create a custom installer that installs the product silently.

Note: When applying fix packs, you cannot create custom installations. Thissection does not apply to fix pack installations. To learn how to run fix packinstallations silently, see “Fix pack installation” on page 84.

In an enterprise deployment, the AppScan Source administrator can customize theinstallation for specific classes of users. Creating a custom installation includeslimiting the component availability, selection, or both, as well as defining defaultvalues for the installation attributes.

With the Custom Installation Wizard, you can create as many custom installationsas necessary, including silent installations. You can manage and standardize themanner in which all the users in your organization install AppScan Sourceproducts.

If you are deploying AppScan Source throughout a large organization, it is mostefficient first to install on a network server and then have users initiate installationfrom this central point of control.

Creating a custom or silent installationAppScan Source includes a graphical Installation Configuration Wizard that anadministrator can use to create a silent (noninteractive) installation or a customgraphical installation.

When the administrator runs the installer to create a custom installation, a newconfiguration properties file is generated. This properties file is then available foruse by the AppScan Source installer.

The Installation Configuration Wizard can modify an existing configuration file orcreate a new configuration file. The wizard provides the ability to customize theinstallation by defining:v If the installation is interactive or silent.v Available components for installation (available for interactive installations only).v Default component selection (available for interactive installations only).v Which components are mandatory or automatically installed.v Default installation folder.v Default language packs to install.v The license file or license server to be used.v User account to be used by AppScan Source for Automation (if it is selected as a

component or available component for installation).

Note: If you create a custom silent installation, it will not succeed when runningon any Turkish language locale (for example, tr and tr_TR).


Launching the Installation Configuration WizardThis topic describes how to launch the Installation Configuration Wizard (thewizard that is used for creating a custom or silent installation file).

About this task

An administrator initiates the configuration tool by defining the environmentvariable OUNCE_CONFIG_FILE and pointing it to a properties file that will holdinstallation configuration settings. This file is then used for running custom orsilent installations.

Note: When setting OUNCE_CONFIG_FILE, do not put quotes around the value, evenif the value contains spaces.

Procedurev On Windows systems, issue these commands:

set OUNCE_CONFIG_FILE=<path>setup.exe

Where <path> is the fully-qualified path and filename of the properties file thatwill contain installation settings. For example, issue set OUNCE_CONFIG_FILE=C:\install.properties to save installation settings to that file.

v On Linux systems:export OUNCE_CONFIG_FILE=<path>./setup.bin

Where <path> is the fully-qualified path and filename of the properties file thatwill contain installation settings.

v On OS X systems:1. Issue this command against the AppScan Source setup.dmg file:

hdiutil attach setup.dmg -shadow

This will extract the setup.app directory into the /Volumes/AppScanSourcedirectory. It will also create a setup.dmg.shadow file which you should deleteafter the installation is complete.

2. Initiate the creation of the properties file by issuing these commands:export OUNCE_CONFIG_FILE=<path>./setup.app

Where <path> is the fully-qualified path and filename of the properties filethat will contain installation settings. Note that the filename must beinstall.properties on OS X.

3. Copy installer.properties to the /Volumes/AppScanSource/setup.app/Contents/Resources directory.

Results

If the file name exists and is valid, the custom wizard uses the properties in thefile as the default properties. You can save the configuration with the existing filename or a new file name. If the file name does not exist, the wizard uses theAppScan Source default properties, and the specified file name appears as thedefault when you save the configuration.

Using the Custom Installation Configuration WizardThe Custom Installation Wizard appears and identifies that you are about to createa configuration file to use for an AppScan Source installation.


About this task

If you run the Custom Installation Wizard on a Windows system, the Linuxdaemon user step appears. If a Windows installation uses the final configurationfile, it ignores this value.

Procedure1. In the Silent Installation Option panel, configure the installation type by

indicating if the installation should be silent or not. Select No if you want tocreate an interactive custom installation.

Note: If you create a custom silent installation, it will not succeed whenrunning on any Turkish language locale (for example, tr and tr_TR).Click Next to advance to the next installation panel.

2. Interactive custom installations only: If you are creating an interactive custominstaller (No was selected in the Silent Installation Option panel), you will needto complete three Component Selection panels:a. In the first panel, select the AppScan Source components that will be

available (or display) in the interactive custom installation:v AppScan Source for Automationv AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Visual Studio 2012v AppScan Source for Development for Visual Studio 2010v AppScan Source for Development for Visual Studio 2008v AppScan Source for Development for Eclipse, RAD, Worklight

Note: If the target operating system does not support a selected component- or if a selected component relies on software that does not exist on thesystem - the installation will ignore it, even if it is selected. For example, ifthe custom installer will be used for installing on a system that does nothave a supported version of Microsoft Visual Studio installed on it, selectingAppScan Source for Development for Visual Studio 2012 for installation willbe ignored when the custom installer is deployed.The remaining Component Selection panels allow you to indicate ifdisplayed components are selected by default or enabled in the installationpanel (components that are not enabled are greyed out when the installer isdeployed and cannot be selected). For example, you may want the custominstaller to force the installation of a component. You can achieve this byhaving the component selected by default, but not enabled.If a component is set to be available, but not selected by default or enabled,the component will not install (it will be greyed out and not selected forinstallation).Click Next to advance to the next installation panel.

b. The next Component Selection panel only displays components that wereselected to be available in the interactive custom installation. In this panel,identify which available components are to be selected by default. ClickNext to advance to the next installation panel.

c. Identify the components to enable for user selection/deselection in thecustom installation. Disabling a component makes the installation of thatcomponent mandatory (provided it has been set to be selected by default).Click Next to advance to the next installation panel.

Chapter 5. Customizing the AppScan Source installation 89

3. Silent custom installations only: If you are creating a silent custom installer(Yes was selected in the Silent Installation Option panel), select the AppScanSource components that the silent installer will install:v AppScan Source for Automationv AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Visual Studio 2012v AppScan Source for Development for Visual Studio 2010v AppScan Source for Development for Visual Studio 2008v AppScan Source for Development for Eclipse, RAD, Worklight

Note: If the target operating system does not support a selected component -or if a selected component relies on software that does not exist on the system -the installation will ignore it, even if it is selected. For example, if the custominstaller will be used for installing on a system that does not have a supportedversion of Microsoft Visual Studio installed on it, selecting AppScan Source forDevelopment for Visual Studio 2012 for installation will be ignored when thecustom installer is deployed.

4. Select the target installation directory. For a silent installation, this is theinstallation directory. For an interactive installation, this is the default value.

Tip: If you run the wizard with an existing configuration file, it reads thevalues from the file and uses them as the default values.Click Next to advance to the next installation panel.

5. In the License File Specification panel, specify the location of your license fileor indicate the host name and port of your license server. Click Next toadvance to the next installation panel.

6. In the Specify Properties File panel, specify the name and location of the targetproperties file. If the wizard uses an existing configuration file, the default pathname appears. You can change the file name to create a new configuration file.For Linux server installations only: Identify which Linux user will run theAppScan Source daemons. After copying files, you must identify the serviceuser. Select Create User 'ounce' or Run with Existing User, either to create thedefault user, ounce, or run with the existing user. (The installation validatesthat user. Note that the selected user must have a valid shell.)Click Next to save the properties file.

Running a custom or silent installationThis topic describes, by platform, how to run a custom or silent installation from acommand line.

Before you begin

When launching the wizard that allows you to create a custom installation (see“Launching the Installation Configuration Wizard” on page 88), you create anOUNCE_CONFIG_FILE environment variable. Before running the custom installation,ensure that this environment variable is removed.

Procedurev On Windows systems, issue this command:

setup.exe -f c:\install.properties


v On Linux systems:setup.bin -f /usr/local/share/my_configs/custom_install.properties

v On OS X systems:1. Issue this command:

sudo open /Volumes/AppScanSource/setup.app/Contents/MacOS/setup.app

2. When creating the properties file as explained in “Launching the InstallationConfiguration Wizard” on page 88, a volume was created for the AppScanSource setup.dmg file. After the installation is complete, issue this commandto detach the volume:hdiutil detach /Volumes/AppScanSource

Note: During installation, the Setup icon appears in the dock. Installation iscomplete when the icon no longer appears.

3. When creating the properties file as explained in “Launching the InstallationConfiguration Wizard” on page 88, a setup.dmg.shadow was created. Toremove this file, issue this command:rm -f setup.dmg.shadow

Example: Install AppScan Source through a custom installationThis example illustrates how you might deploy a custom installation wizard.

About this task

An Information Technology (IT) department wants to limit or control theinstallation options for targeted users.

Before creating the custom installation, the administrator deploys the AppScanSource software installation files to a file server to which the user has access. TheIT department also identifies the different installation configurations based on thevarious AppScan Source products that each type of user requires.

To install AppScan Source with a custom installation:

Procedure1. The IT department copies the appropriate contents either from the AppScan

Source installation CD or from an FTP download onto the file server.2. IT uses the Custom Installation Wizard to create the required installation

configuration files for each required installation type, such as AppScan Sourcefor Development and AppScan Source for Analysis.

3. IT places configuration files in a shared public folder.4. IT sends email to appropriate users. The email contains the hyperlink that

when clicked, initiates the appropriate AppScan Source installation for thatuser.

5. The user checks email and sees a link to the installation location of applicableAppScan Source products.

6. The user initiates the installation from the hyperlink in the email. For example,the hyperlink accesses an IT-provided .bat file or script that makes theappropriate call to setup -f install.properties.

7. The AppScan Source installation begins, displaying the default, but modifiable,options as defined by the IT custom installation configuration. (This includesthe Component Selection wizard page.)

Chapter 5. Customizing the AppScan Source installation 91

Results

After this installation:v The appropriate AppScan Source products are on the desktopv The default Host Server is identifiedv The license file is copied to the target computer (optional)


Chapter 6. AppScan Source silent installers

The AppScan Source custom installation wizard is used for creating silentinstallers.

To learn about customizing AppScan Source installations, see Chapter 5,“Customizing the AppScan Source installation,” on page 87.

Note: When applying fix packs, you cannot create custom installations. Thissection does not apply to fix pack installations. To learn how to run fix packinstallations silently, see “Fix pack installation” on page 84.

Creating a custom or silent installationAppScan Source includes a graphical Installation Configuration Wizard that anadministrator can use to create a silent (noninteractive) installation or a customgraphical installation.

When the administrator runs the installer to create a custom installation, a newconfiguration properties file is generated. This properties file is then available foruse by the AppScan Source installer.

The Installation Configuration Wizard can modify an existing configuration file orcreate a new configuration file. The wizard provides the ability to customize theinstallation by defining:v If the installation is interactive or silent.v Available components for installation (available for interactive installations only).v Default component selection (available for interactive installations only).v Which components are mandatory or automatically installed.v Default installation folder.v Default language packs to install.v The license file or license server to be used.v User account to be used by AppScan Source for Automation (if it is selected as a

component or available component for installation).

Note: If you create a custom silent installation, it will not succeed when runningon any Turkish language locale (for example, tr and tr_TR).

Launching the Installation Configuration WizardThis topic describes how to launch the Installation Configuration Wizard (thewizard that is used for creating a custom or silent installation file).

About this task

An administrator initiates the configuration tool by defining the environmentvariable OUNCE_CONFIG_FILE and pointing it to a properties file that will holdinstallation configuration settings. This file is then used for running custom orsilent installations.


Note: When setting OUNCE_CONFIG_FILE, do not put quotes around the value, evenif the value contains spaces.

Procedurev On Windows systems, issue these commands:

set OUNCE_CONFIG_FILE=<path>setup.exe

Where <path> is the fully-qualified path and filename of the properties file thatwill contain installation settings. For example, issue set OUNCE_CONFIG_FILE=C:\install.properties to save installation settings to that file.

v On Linux systems:export OUNCE_CONFIG_FILE=<path>./setup.bin

Where <path> is the fully-qualified path and filename of the properties file thatwill contain installation settings.

v On OS X systems:1. Issue this command against the AppScan Source setup.dmg file:

hdiutil attach setup.dmg -shadow

This will extract the setup.app directory into the /Volumes/AppScanSourcedirectory. It will also create a setup.dmg.shadow file which you should deleteafter the installation is complete.

2. Initiate the creation of the properties file by issuing these commands:export OUNCE_CONFIG_FILE=<path>./setup.app

Where <path> is the fully-qualified path and filename of the properties filethat will contain installation settings. Note that the filename must beinstall.properties on OS X.

3. Copy installer.properties to the /Volumes/AppScanSource/setup.app/Contents/Resources directory.

Results

If the file name exists and is valid, the custom wizard uses the properties in thefile as the default properties. You can save the configuration with the existing filename or a new file name. If the file name does not exist, the wizard uses theAppScan Source default properties, and the specified file name appears as thedefault when you save the configuration.

Using the Custom Installation Configuration WizardThe Custom Installation Wizard appears and identifies that you are about to createa configuration file to use for an AppScan Source installation.

About this task

If you run the Custom Installation Wizard on a Windows system, the Linuxdaemon user step appears. If a Windows installation uses the final configurationfile, it ignores this value.

Procedure1. In the Silent Installation Option panel, configure the installation type by

indicating if the installation should be silent or not. Select No if you want tocreate an interactive custom installation.


Note: If you create a custom silent installation, it will not succeed whenrunning on any Turkish language locale (for example, tr and tr_TR).Click Next to advance to the next installation panel.

2. Interactive custom installations only: If you are creating an interactive custominstaller (No was selected in the Silent Installation Option panel), you will needto complete three Component Selection panels:a. In the first panel, select the AppScan Source components that will be

available (or display) in the interactive custom installation:v AppScan Source for Automationv AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Visual Studio 2012v AppScan Source for Development for Visual Studio 2010v AppScan Source for Development for Visual Studio 2008v AppScan Source for Development for Eclipse, RAD, Worklight

Note: If the target operating system does not support a selected component- or if a selected component relies on software that does not exist on thesystem - the installation will ignore it, even if it is selected. For example, ifthe custom installer will be used for installing on a system that does nothave a supported version of Microsoft Visual Studio installed on it, selectingAppScan Source for Development for Visual Studio 2012 for installation willbe ignored when the custom installer is deployed.The remaining Component Selection panels allow you to indicate ifdisplayed components are selected by default or enabled in the installationpanel (components that are not enabled are greyed out when the installer isdeployed and cannot be selected). For example, you may want the custominstaller to force the installation of a component. You can achieve this byhaving the component selected by default, but not enabled.If a component is set to be available, but not selected by default or enabled,the component will not install (it will be greyed out and not selected forinstallation).Click Next to advance to the next installation panel.

b. The next Component Selection panel only displays components that wereselected to be available in the interactive custom installation. In this panel,identify which available components are to be selected by default. ClickNext to advance to the next installation panel.

c. Identify the components to enable for user selection/deselection in thecustom installation. Disabling a component makes the installation of thatcomponent mandatory (provided it has been set to be selected by default).Click Next to advance to the next installation panel.

3. Silent custom installations only: If you are creating a silent custom installer(Yes was selected in the Silent Installation Option panel), select the AppScanSource components that the silent installer will install:v AppScan Source for Automationv AppScan Source for Analysisv AppScan Source Command Line Interfacev AppScan Source for Development for Visual Studio 2012v AppScan Source for Development for Visual Studio 2010v AppScan Source for Development for Visual Studio 2008

Chapter 6. AppScan Source silent installers 95

v AppScan Source for Development for Eclipse, RAD, Worklight

Note: If the target operating system does not support a selected component -or if a selected component relies on software that does not exist on the system -the installation will ignore it, even if it is selected. For example, if the custominstaller will be used for installing on a system that does not have a supportedversion of Microsoft Visual Studio installed on it, selecting AppScan Source forDevelopment for Visual Studio 2012 for installation will be ignored when thecustom installer is deployed.

4. Select the target installation directory. For a silent installation, this is theinstallation directory. For an interactive installation, this is the default value.

Tip: If you run the wizard with an existing configuration file, it reads thevalues from the file and uses them as the default values.Click Next to advance to the next installation panel.

5. In the License File Specification panel, specify the location of your license fileor indicate the host name and port of your license server. Click Next toadvance to the next installation panel.

6. In the Specify Properties File panel, specify the name and location of the targetproperties file. If the wizard uses an existing configuration file, the default pathname appears. You can change the file name to create a new configuration file.For Linux server installations only: Identify which Linux user will run theAppScan Source daemons. After copying files, you must identify the serviceuser. Select Create User 'ounce' or Run with Existing User, either to create thedefault user, ounce, or run with the existing user. (The installation validatesthat user. Note that the selected user must have a valid shell.)Click Next to save the properties file.

Running a custom or silent installationThis topic describes, by platform, how to run a custom or silent installation from acommand line.

Before you begin

When launching the wizard that allows you to create a custom installation (see“Launching the Installation Configuration Wizard” on page 88), you create anOUNCE_CONFIG_FILE environment variable. Before running the custom installation,ensure that this environment variable is removed.

Procedurev On Windows systems, issue this command:

setup.exe -f c:\install.properties

v On Linux systems:setup.bin -f /usr/local/share/my_configs/custom_install.properties

v On OS X systems:1. Issue this command:

sudo open /Volumes/AppScanSource/setup.app/Contents/MacOS/setup.app

2. When creating the properties file as explained in “Launching the InstallationConfiguration Wizard” on page 88, a volume was created for the AppScanSource setup.dmg file. After the installation is complete, issue this commandto detach the volume:


hdiutil detach /Volumes/AppScanSource

Note: During installation, the Setup icon appears in the dock. Installation iscomplete when the icon no longer appears.

3. When creating the properties file as explained in “Launching the InstallationConfiguration Wizard” on page 88, a setup.dmg.shadow was created. Toremove this file, issue this command:rm -f setup.dmg.shadow

Example: Install AppScan Source silently through an InstallationFramework

This example illustrates how you might deploy a silent installation.

About this task

An Information Technology (IT) department wants to install the v clientcomponents silently through their installation framework.

Before creating the client custom installation, the AppScan Source administratordeploys the installation files to a file server to which the installation frameworkhas access. The IT department also identifies the different installationconfigurations based on the various AppScan Source components that each type ofuser requires.

To install AppScan Source with a custom silent installation:

Procedure1. The IT department copies the appropriate contents either from the AppScan

Source installation CD or from an FTP download onto the file server.2. IT uses the Custom Installation Wizard to create the required installation

configuration files for each required installation type, such as AppScan Sourcefor Development and AppScan Source for Analysis.

3. IT places the configuration files in a shared public folder.4. IT configures the installation framework to recognize the AppScan Source

installation and associates appropriate command line calls and installationconfigurations into the installation framework.

5. The user checks for updates through the installation framework client (on thedesktop) and the appropriate (user-specific) AppScan Source product displaysin the list for installation.

6. The user initiates installation through the installation framework client.7. AppScan Source silently installs on the user's desktop computer.

Results

After this installation:v The appropriate AppScan Source products are installed on the desktop and

configured to connect to theAppScan Enterprise Server.v The license file is copied to the target computer.

Chapter 6. AppScan Source silent installers 97

Chapter 7. Activating the software

You must activate your software before you can use any AppScan Source product.AppScan Source provides a License Manager utility that is used for loading andupdating license information on your client machine. This utility allows you toview your current license status - or you can use the utility to activate the productby importing a license file or by using a floating license on a license server. Whenyou launch License Manager, it will scan for any licenses that have previously beenloaded.

After installing your AppScan Source product, you have three choices foractivation:v You can launch the License Manager utility from the product installation wizard

(upon installation completion).v You can launch the License Manager utility after installing the product:

– On Windows, launch the utility from the Start menu (in the Programs menu,launch IBM Security AppScan Source > AppScan Source License Manager).

– On Linux, locate <install_dir>/bin (where <install_dir> is the location ofyour AppScan Source installation) and run licensemgr.sh by issuing thecommand ./licensemgr.sh.

– On OSX, locate /Applications/AppScanSource.app/bin and run licensemgr.shby issuing the command ./licensemgr.sh.

v You can launch the product. If a license has not already been applied forproduct usage, you will receive a message indicating that a license must beapplied before the product can be used. If you click OK in this message, theLicense Manager utility will open.

To learn more about obtaining and applying licenses for AppScan Source products,see http://www.ibm.com/support/docview.wss?uid=swg21405482.

Note:

v The License Manager utility must be launched from the installation wizard orWindows Start menu if you are activating a product with a command-line userinterface. If you attempt to use a product with a command line interface withoutfirst activating the software, you will receive an error message prompting you toactivate your software through the License Manager utility.

v If you are running the AppScan Enterprise Server without first applying alicense, you will receive an error message when you attempt to connect to theserver.

v For complete use of AppScan Source for Development functionality, its licensemust be applied with the license for AppScan Source for Remediation.

Importing a license fileThis task topic describes the procedure for importing AppScan Source license files.

Procedure1. AppScan Source license files have a .upd or .txt file extension. Ensure that the

license is available on your local file system or on a mapped drive.2. Click Import license.



3. Use the Import license file dialog box to browse for the license file. Select thelicense file and then click OK.

Note: If you are browsing for a license file on OS X, the contents of the Importlicense file dialog box may stop displaying (a folder will open, however, itscontents do not display). To workaround this, select a different folder - andthen re-select the folder whose contents you want to display.

4. When the License file has been imported successfully message appears, clickOK to complete activation.

5. Close License Manager to begin using the license when you launch theinstalled product or products.

Using a floating licenseThis task topic describes the procedure for configuring a license server or multiplelicense servers for floating license activation.

Procedure1. Click Configure license servers to open the Configure license servers dialog

box.2. Click Add.3. Enter the Host name and Port of a license server and then click Save Changes.

Repeat this step to add multiple license servers.

Note: The default port for the license server is 27000. Edit this value only ifyou have set the license server to run on a different port.

4. If you add a license server and need to edit its host name or port, select theserver in the list. This will populate the Host name and Port fields. You canedit these settings and then click Save Changes to save the changes to thelicense server settings.

5. If you add multiple license servers, they will be scanned in the order that theyappear in the list in this dialog box. If a floating license for an AppScan Sourcefeature is found, the scan for floating licenses will stop. To change the order inwhich servers are scanned, select the server that you want to move in the listand then click Up or Down.

6. Click OK when you have configured all license servers.

Results

After the dialog box closes, the configured license servers are searched forAppScan Source feature floating licenses. When found, they appear in the LicenseManager license list.

If you modify the license server, click Refresh to ensure that License Manager hasaccess to the current license server information.

When you are finished configuring floating license servers, close License Managerto begin using the license or licenses when you launch the installed product orproducts.

Note: AppScan Source floating licenses must be hosted on a Rational LicenseServer Version 8 or higher. If they are hosted on a lower level of Rational LicenseServer, they will be visible in License Manager, however AppScan Source will failto use them.


For teams that use AppScan Source for Development, floating scanning licensescan be released directly from the user interface, allowing other team members toacquire licenses when they need them. In local mode, there is a Release ScanningLicense action - whereas, in server mode, the license is released as part of the LogOut from Server action. After a license is released, it will automatically bereacquired when a scan is initiated (if a license is available).

Viewing licenses

The list of licenses in the License Manager utility indicates:v The AppScan Source products and features that the license or licenses apply to

(licenses for other IBM products will not appear in this utility).v The license type: Licenses are either floating or nodelocked (indicating an

imported license file).v License expiration: The number of days left in the license is displayed. If the

number of days is greater than 365, the license expiration is simply markedValid.

v The total number of licenses available on all specified servers.

Chapter 7. Activating the software 101

Chapter 8. Removing AppScan Source from your system

You can remove AppScan Source from the Windows Control Panel or with a Linuxor OS X uninstall script. The AppScan Source uninstall does not remove or back upan installed Oracle database. Deleting the AppScan Source user from an Oracleinstance is a manual database administrative task.

About this taskv “Removing from Microsoft Windows platforms”v “Removing from Linux platforms”v “Removing from OS X platforms”

Removing from Microsoft Windows platforms

Procedure1. Use the Control Panel option for removing programs. For example, on

Windows 7, select the Programs and Features option in the Control Panel.2. Choose the appropriate action for removing IBM Security AppScan Source

from the list of installed programs.

Removing from Linux platformsWhen you install on Linux, a script is created that you can run to remove AppScanSource.

About this task

If you uninstall, you must uninstall as the same user who installed. If you installedthe software as root on Linux, you must uninstall as root.

Procedure1. Locate the script, <install_dir>/Uninstall_AppScan/AppScan_Uninstaller

(where <install_dir> is the location of your AppScan Source installation).2. Run this script (using sudo) to display the wizard that is used for removing the

product.

Removing from OS X platformsWhen you install on OS X, a script is created that you can run to remove AppScanSource.

About this task

If you uninstall, you must uninstall as the same user who installed.

Procedure1. Locate the script, <install_dir>/Uninstall_AppScan/AppScan_Uninstaller.sh

(where <install_dir> is the location of your AppScan Source installation).2. Run this script (using sudo) to display the wizard that is used for removing the

product.


Chapter 9. Administering AppScan Source

This section explains user management, permissions, application and projectregistration, and port configuration.

Your AppScan Source administrator is responsible for deploying and installing theAppScan Enterprise Server and AppScan Source products - and creating users withthe appropriate privileges and permissions (or configuring automatic login forAppScan Enterprise Server users). The administrator must understand the role ofeach user and the required deployment model to complete these tasks. It is alsonecessary for the administrator to know if other systems, such as defect trackingand Directory Server, must be integrated with AppScan Source and the AppScanEnterprise Server.

It is also important to understand the installation configurations of AppScanSource for Analysis and the AppScan Enterprise Server, how to connect to theserver, and the available functionality for each user. For example, the administratormust be familiar with how to configure AppScan Source applications and projectsand how to register and publish them. See the IBM Security AppScan Source forAnalysis User Guide for more detailed information.

AppScan Source users can concurrently exist on the AppScan Enterprise Server -or, if you have cause to have users that are not permitted to access the server, theycan be created locally as an AppScan Source user.

User accounts and permissionsBefore AppScan Source users can begin to scan or triage results, an administratormust create user accounts and assign permissions to the accounts.

AppScan Source user permissions are stored in the AppScan Source Database andapplied when a user is logged in to the AppScan Enterprise Server. Users that runAppScan Source for Development in local mode have full AppScan Sourcepermissions.

When you create a user, you establish a role for that user and identify thepermissions available for that user. Permissions identify the allowable AppScanSource tasks for that user. Tasks not specifically identified as part of a permissionare available to all users.

Note: You cannot modify a user ID. You must delete the user account andre-create the user with the same user ID.

Permission Group Permission

Application and Project Management Register (Register and unregisterapplications and projects)

Scan

View Registered

Manage Attributes

Apply Attributes

Assessment Management Delete Published Assessments


Permission Group Permission

Save Assessments

Publish Assessments

View Published Assessments

Knowledgebase Management Manage Custom Rules

Manage Patterns

Administration Manage Users

Manage AppScan Enterprise Settings

Filter Management Manage Shared Filters

Scan Configurations Manage Shared Configurations (sharing scanconfigurations and editing/deleting sharedscan configurations)

Creating AppScan Source usersAppScan Source users can exist in the AppScan Enterprise Server user repositoryand in the AppScan Source Database - or, if you have cause to have users thatshould not have user accounts on the server, they can be created in the AppScanSource Database as AppScan Source users instead. You can also create a newAppScan Source user that already exists on the AppScan Enterprise Server.

About this task

The AppScan Source license and individual user permissions control access toAppScan Source for Analysis, AppScan Source for Automation (the AutomationServer), AppScan Source for Development (the developer plug-ins), and theAppScan Source command line interface (CLI). You can add, delete, and edit useraccounts, and view information about the system license. When you create andmodify users, you also assign permissions, if necessary.

Users can be created in the AppScan Source for Analysis user interface or in theCLI (see the IBM Security AppScan Source Utilities User Guide to learn about creatingusers in the CLI). From the AppScan Source for Analysis user interface, you canalso set automatic login for AppScan Enterprise Server users (see “Configuringautomatic login of AppScan Enterprise Server users” on page 107).

To create users in the AppScan Source for Analysis user interface, follow thesesteps:

Procedure1. From the AppScan Source for Analysis Admin menu, click Manage Users.2. The Manage Users dialog box lists existing AppScan Source users. Those

located in the AppScan Enterprise Server user repository exist locally in theAppScan Source Database and on the AppScan Enterprise Server. Those locatedin the AppScan Source repository exist only in the AppScan Source Database.

3. Click Add User to open the Add User dialog box.4. By default, the new user will be created in the AppScan Source Database and

on the AppScan Enterprise Server. To create the user only in the AppScanSource Database, select the Store user in AppScan Source repository checkbox.


5. If Store user in AppScan Source repository is not selected: Type a User ID,user Name (255 characters maximum), and Email. These are required fields. Ifthe user already exists on the AppScan Enterprise Server, click Find User andthen, in the Find Existing User dialog box, select the user to add and click OK.This will close the Find Existing User dialog box and cause the required fieldsin the Add User dialog box to be filled in.

Note: The credentials used by AppScan Enterprise Server users are always thesame credentials that are used to log in to AppScan Source. If the credentialsare changed in either product, the change will automatically be in effect in theother product.

Note: In some cases, it may not be possible to create AppScan EnterpriseServer users. Refer to “Requirements for creating AppScan Enterprise Serverusers” on page 108 for information.

6. If Store user in AppScan Source repository is selected: Type a User ID andthen enter a password for the user (twice for confirmation - between 6 and 16characters). These are required fields. You can also optionally add a user Name(255 characters maximum) and Email.

7. Expand the Permissions tree and select the check boxes that identify the user'spermissions.

8. Click OK to create the user. If the user is being created on the AppScanEnterprise Server, the password for the user will automatically be set to be thesame as the user ID. This should be changed by the user as soon as possible(see “Changing your password” on page 110 for instructions).

Results

Using the settings described in this topic, you can also edit users by selecting theuser in the Manage Users dialog box and clicking Edit User. Similarly, you canremove a user by selecting it and clicking Delete User.

Configuring automatic login of AppScan Enterprise Serverusers

By default, AppScan Enterprise Server users can log in to AppScan Source andautomatically become AppScan Source users. This feature can be configured in theAppScan Source for Analysis user interface according to the instructions in thistopic.

Procedure1. From the AppScan Source for Analysis Admin menu, click Manage Users.2. In the Manage Users dialog box, click the Configure login for AppScan

Enterprise Server users link.3. The Configure AppScan Enterprise Server User Login dialog box allows you to

enable this feature - and set initial permissions for AppScan Enterprise Serverusers:v By default, AppScan Enterprise Server users can log in to AppScan Source.

To disable this feature, deselect the Permit login by AppScan EnterpriseServer users check box.

v By default, AppScan Enterprise Server users have these permissions whenlogging in to AppScan Source:– Register

– Scan

Chapter 9. Administering AppScan Source 107

– View Registered

– Manage Attributes

– Apply Attributes

– Save Assessments

Expand the Permissions tree and select the check boxes that identify theappropriate initial settings for AppScan Enterprise Server users. See “Useraccounts and permissions” on page 105 for a list of all available permissions.

4. Click OK to close the Configure AppScan Enterprise Server User Login dialogbox - and then Close the Manage Users dialog box.

Results

The first time an AppScan Enterprise Server user logs in to AppScan Source, anAppScan Source user account will be created with the same authenticationcredentials that are used for logging in to the AppScan Enterprise Server. After theaccount is created, you can modify it (for example, modify its permissions).

If you disable this feature, AppScan Enterprise Server users will need to be createdmanually by following the instructions in “Creating AppScan Source users” onpage 106.

Requirements for creating AppScan Enterprise Server usersAdding a user to the AppScan Enterprise Server user repository may not bepossible. Reasons for this include lacking the required JazzAdmins permission onthe server (when configured with Jazz authentication) - or a server configurationthat includes a read-only user repository (for example, LDAP or Windowsauthentication). In either of these cases, the Add User dialog box will include amessage alerting you to this issue.

You can still create an AppScan Source user for an existing AppScan EnterpriseServer user with the Find User feature. Or, you can create a new user in theAppScan Source repository.

To create a new AppScan Enterprise Server user, ask your system administrator togive you JazzAdmins permission. Alternately, request that the new user be createdin the LDAP user directory or, if you are using Windows authentication, requestthat the new user be created in your Active Directory server.

Creating a user account for the Automation ServerA user account is required for Automation Server use. This user account must beregistered with the Automation Server during installation or by command linepost-installation. A corresponding AppScan Source user account must also then becreated manually post-installation with AppScan Source for Analysis or theAppScan Source command line interface (CLI). This topic describes creating thisaccount using AppScan Source for Analysis.

Procedure1. Follow the instructions in “Creating AppScan Source users” on page 106 for

creating a new user - or enable the automatic creation of AppScan EnterpriseServer users (see “Configuring automatic login of AppScan Enterprise Serverusers” on page 107).


2. Ensure that any users that will use the Automation Server have the same username and password that was specified for Automation Server login. Othersettings, such as permission, can be set according to your needs.

Migrating Rational AppScan Source Edition for Core users toAppScan Enterprise Server

If you are upgrading from a previous version of Rational AppScan Source Edition,you can migrate your users to the AppScan Enterprise Server.

Procedure1. To modify users from the AppScan Source for Analysis user interface:

a. Select Admin > Manage Users from the main workbench menu.b. In the Manage Users dialog box, current Rational AppScan Source Edition

for Core users will be listed with AppScan Source as their User Repository.Select the user that you want to migrate to the server and click Edit User.

c. In the Edit User dialog box, deselect the AppScan Source User Repositorycheck box and then ensure that all required fields are completed (User ID,Name, and Email). Complete instructions for completing this dialog box canbe found in “Creating AppScan Source users” on page 106.

d. Click OK to migrate the user to the AppScan Enterprise Server. When youreturn to the Manage Users dialog box, the User Repository for the userwill be indicated as AppScan Enterprise Server.

2. To modify users from the AppScan Source command line interface:a. Optional: Issue the listusers command to see a list of users. Those that are

currently located in the AppScan Source user repository will be marked aslocal.

b. Issue the moduser command for the user, setting the local parameter tofalse.

c. For information about AppScan Source command line interface (CLI)commands, see the AppScan Source command line interface (CLI) section ofthe online help or IBM Security AppScan Source Utilities User Guide.

Results

The password for the user will automatically be set to be the same as the user ID(for example, if the user ID is jsmith, the password will be jsmith - the previousRational AppScan Source Edition for Core password will not be retained). Thisshould be changed by the user as soon as possible (see “Changing your password”on page 110 for instructions).

If the AppScan Enterprise Server is configured to use LDAP authentication,passwords will be managed by your organization's LDAP infrastructure.

Auditing user activityAppScan Source offers a convenient location for auditing user activity. The Auditview logs events such as authentication to the AppScan Enterprise Server, thecreation of new users, and the creation of new rules in the database.

To open the Audit view, select Admin > Audit from the main menu.


Note: You must have Manage Users permission to use the Audit view. Openingthe view without appropriate permission will result in an error. To learn aboutAppScan Source permissions, see “User accounts and permissions” on page 105.

Logging in to AppScan Enterprise Server from AppScan Sourceproducts

Most AppScan Source products and components require a connection to anAppScan Enterprise Server. The server provides centralized user managementcapabilities and a mechanism for sharing assessments via the AppScan SourceDatabase.

When you launch AppScan Source for Analysis, you are prompted to log in. If youare running AppScan Source for Development in server mode, you are promptedto log in when you first initiate an action that needs access to the server, such aslaunching a scan, viewing scan configurations, or changing your password.

In AppScan Source for Analysis, when logging in, you are prompted for:v User ID: Specify your user ID (depending on how your account was set up, this

is a user ID that exists both on the AppScan Enterprise Server and in theAppScan Source Database - or it is a user ID that exists only in the AppScanSource Database).

v Password: Specify the password for your user ID.v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise

Server instance.

In AppScan Source for Development, when logging in, you are prompted for:v Server URL: Specify the URL for your AppScan Enterprise Server instance.v User ID: Specify your user ID (depending on how your account was set up, this

is a user ID that exists both on the AppScan Enterprise Server and in theAppScan Source Database - or it is a user ID that exists only in the AppScanSource Database).

v Password: Specify the password for your user ID.

Login actions are also required when running AppScan Source for Automation orthe AppScan Source command line interface (CLI). See the IBM Security AppScanSource Utilities User Guide for more information.

To learn about AppScan Enterprise Server SSL certificates, see “AppScan EnterpriseServer SSL certificates” on page 111.

Changing your passwordThis topic describes the steps for changing your password. If your AppScanEnterprise Server is configured to use LDAP authentication or Windowsauthentication, this functionality is not available.

Procedure1. Choose Admin > Change Password from the main menu.2. Enter your old password.3. Type and confirm a new password.4. Click OK to change the password.


Note: The credentials used by AppScan Enterprise Server users are always thesame credentials that are used to log in to AppScan Source. If the credentialsare changed in either product, the change will automatically be in effect in theother product.

AppScan Enterprise Server SSL certificatesWhen the AppScan Enterprise Server is installed, it should be configured to use avalid SSL certificate. If this is not done, you will receive an untrusted connectionmessage when logging in to the server from AppScan Source for Analysis or theAppScan Source command line interface (CLI) - or AppScan Source forDevelopment on Windows and Linux.

SSL certificate storage location

Certificates that have been permanently accepted are stored in<data_dir>\config\cacertspersonal and <data_dir>\config\cacertspersonal.pem(where <data_dir> is the location of your AppScan Source program data, asdescribed in “Installation and user data file locations” on page 57). Remove thesetwo files if you no longer want the certificates permanently stored.

AppScan Source for Automation and SSL certificate validation

By default, certificates are automatically accepted when using AppScan Source forAutomation. This behavior is determined by the ounceautod_accept_ssl setting inthe Automation Server configuration file (<data_dir>\config\ounceautod.ozsettings (where <data_dir> is the location of your AppScan Sourceprogram data, as described in “Installation and user data file locations” on page57)). If this setting is edited so that value="true" is set to value="false", SSLvalidation will be attempted and logging in or publishing to AppScan EnterpriseConsole will fail with error if an invalid certificate is encountered.

AppScan Source command line interface (CLI) and SSLcertificate validation

By default, when using the CLI login command, SSL validation will be attemptedand logging in or publishing to AppScan Enterprise Console will fail with error ifan invalid certificate is encountered (if you have not already permanently acceptedthe certificate while logging in via another AppScan Source client product). Thisbehavior can be modified by using the option -acceptssl parameter when issuingthe login command. When this parameter is used, SSL certificates areautomatically accepted.

LDAP integrationYou cannot add LDAP users to the AppScan Source user repository if they are notalready in the AppScan Enterprise Server user repository. To add an AppScanSource user that will be authenticated via LDAP, you must have configured theAppScan Enterprise Server user repository to use an LDAP repository. Forinformation about this, see the AppScan Enterprise Server Planning & InstallationGuide.

If you are using LDAP authentication and want to add an AppScan Source userthat is not part of an LDAP user group, create the user locally in the AppScan


Source user repository by selecting the Store user in AppScan Source repositorycheck box in the Add User dialog box. See “Creating AppScan Source users” onpage 106 for user creation instructions.

Registering applications and projects for publishing to AppScanSource

Registering applications/projects and publishing assessments results, enables thesharing of critical security data across the team (assessments are published to theAppScan Source Database). Users with the appropriate privileges and permissionscan access these assessment results through AppScan Source for Analysis. In somedeployments, registering applications and projects, as well as publishingassessment results, is an administrative task. In other deployments, these areProject Lead/Security Analyst tasks. It is recommended that you limit permissionsto only those who need to perform these tasks.

AppScan Source application and project filesAppScan Source applications and projects have corresponding files that maintainconfiguration information required for scanning, as well as triage customization. Itis recommended that these files reside in the same directory as the source code,since configuration information (dependencies, compiler options, and so forth)required to build the projects is very similar to that required for AppScan Source toscan them successfully. Best practice includes managing these files with yoursource control system.

When you use supported build integration tools (for example, Ounce/Ant orOunce/Maven) to generate AppScan Source applications and project files, it isrecommended that you update these files in source control as part of your buildautomation, to facilitate sharing them across the development team. When adeveloper updates the local view of the files in source control, the AppScan Sourceapplication and project files update as well. This ensures that the entire team isworking with a consistent set of files.

Applications and projects created in AppScan Source for Analysis have a .paf and.ppf extension respectively. These files are generated when you manually createand configure an application or project in the AppScan Source for Analysis userinterface or via supported AppScan Source utilities.

On Windows, When you import Microsoft solutions and projects into AppScanSource for Analysis, files with .gaf and .gpf extensions are created for them.

On OS X, When you import Xcode directories and projects into AppScan Sourcefor Analysis, files with .xcodeproj.gaf and .xcodeproj.gpf extensions are createdfor them.

Note: When an Eclipse Importer runs on an Eclipse or Rational ApplicationDeveloper for WebSphere Software (RAD) workspace, AppScan Source createsintermediate files with .ewf and .epf extensions. These files are required for theinitial import into AppScan Source for Analysis and for future scans.


Table 3. AppScan Source files

AppScan Source File Extension Description

ppf v AppScan Source project file

v Generated when you create a project withAppScan Source for Analysis or supportedAppScan Source utilities

v User-named

paf v AppScan Source application file

v Generated when you create an applicationwith AppScan Source for Analysis orsupported AppScan Source utilities

v User-named

gaf v AppScan Source application file that isgenerated when you import Microsoftsolutions

v Used to hold custom applicationinformation such as exclusions andbundles

v Adopts the name of the importedworkspace or solution. For example:

d:\my_apps\myapp.slnd:\my_apps\myapp.sln.gaf

gpf v AppScan Source project file that isgenerated when you import Microsoftprojects

v Used to hold custom project informationsuch patterns and exclusions

v Adopts the name of the imported project:For example:

d:\my_projects\myproject.vcprojd:\my_projects\myproject.vcproj.gpf

.xcodeproj.gaf v AppScan Source application file that isgenerated when you import Xcodedirectories

v Used to hold custom applicationinformation such as exclusions andbundles

v Adopts the name of the importedworkspace or solution. For example:

/Users/myUser/myProject.xcodeproj/Users/myUser/myProject.xcodeproj.gaf


Table 3. AppScan Source files (continued)

AppScan Source File Extension Description

.xcodeproj.gpf v AppScan Source project file that isgenerated when you import Xcodeprojects

v Used to hold custom project informationsuch patterns and exclusions

v Adopts the name of the imported project:For example:

/Users/myUser/myProject.xcodeproj/Users/myUser/myProject.xcodeproj.gpf

ewf v Eclipse workspace file

v Produced when you import an Eclipseworkspace into AppScan Source

v The Eclipse exporter creates the file basedon information in the Eclipse workspace -AppScan Source then imports the file

epf v Eclipse project file

v Produced when an Eclipse project isimported into AppScan Source

v The Eclipse exporter creates the file basedon information in the Eclipse project -AppScan Source then imports the file

Port configuration

Deployment of AppScan Source products requires that certain ports be open on thecomputers where those components are installed. The tables in “Default openports” provide information about port usage. Each port is configurable.

Default open ports

Default open ports for remote communication

Port Components Protocol

443 and 9443 AppScan Enterprise Server HTTPS

2315 IBM solidDB solidDB

Default open ports for local host access

Port Components Protocol

443 and 9443 AppScan Enterprise Server HTTPS

13194-13294

(only uses one port in thisrange)

AppScan Source for Analysis IIOP

13205 AppScan Source forAutomation

IIOP


License server ports

The Rational License Key Server is used for serving floating licenses to AppScanSource. To make use of AppScan Source floating licenses through a firewall or fromanother network, some manual configuration is required. You will need toconfigure License Manager ports for the lmgrd and ibmratl vendor daemons onthe Rational License Key Server - and then open/forward both ports in addition tothe AppScan Source ports. Refer to the Rational License Key Server documentationfor more information. By default, the lmgrd port is 27000 and the ibmratl vendordaemon port is allocated dynamically.

Port forwarding configuration

To operate in a port forwarding environment, you must make configurationchanges to the AppScan Source system properties. For detailed instructions forchanging the appropriate settings, contact your IBM support representative.

Changing the IBM solidDB port

About this task

To change the solidDB communications port number, access the machine on whichyou have installed the AppScan Source Database and follow the steps in this topic.

Important: If you change the solidDB port, you must run the appscanserverdbmgrtool to register the updated database location with the server. See “Registering theAppScan Source Database with AppScan Enterprise Server” on page 70 forinformation about this tool.

Procedure1. Open <install_dir>\solidDB\appscansrc\solid.ini (on Windows) or

<install_dir>/soliddb/appscansrc/solid.ini (on Linux) (where<install_dir> is the location of your AppScan Source installation). In the file,locate the NETWORK NAME setting and change its port number value. For exampleif you have installed the database on Windows and want to change its portnumber to 12345, find Listen=tcpip 2315, nmpipe SOLID ; Windows (thedefault value of the setting on Windows) and change it to Listen=tcpip 12345,nmpipe SOLID ; Windows. Save the changes to the file.

2. Open <data_dir>\config\database.ozsettings (on Windows) or<data_dir>/config/database.ozsettings (on Linux) (where <data_dir> is thelocation of your AppScan Source program data, as described in “Installationand user data file locations” on page 57). In the file, locate thedb_connection_information setting and change its port number value. Forexample if you want to change the port number to 12345, find value="tcplocalhost 2315" and change it to value="tcp localhost 12345". Save thechanges to the file.

3. Restart the IBM Security AppScan Source DB service.


Changing IBM solidDB user passwords after installationIf you install the IBM solidDB database during the product installation, you mustconfigure solidDB user and administrative user credentials. By default, the settingsfor the solidDB user are user name ounce and password ounce. The defaultdatabase administrator user name and password are both dba.

About this task

To change the password for either of these two user accounts, follow the steps inthis topic.

Important: If you change the solidDB port, you must run the appscanserverdbmgrtool to register the updated database location with the server. See “Registering theAppScan Source Database with AppScan Enterprise Server” on page 70 forinformation about this tool.

Procedure1. At a command prompt, change directory to <install_dir>\solidDB\bin (where

<install_dir> is the location of your AppScan Source installation).2. Issue the command solsql.exe "tcp 2315" (on Windows) or solsql "tcp

2315" (on Linux).3. When prompted for a Username, enter the currently-configured solidDB

administrative username. By default, this is dba.4. When prompted for a Password, enter the currently-configured solidDB

administrative password. By default, this is dba.5. Issue the command alter user <db_username> identified by

<new_password>;. In this command:v <db_username> is the solidDB user whose password you want to change. You

can change the solidDB user password or you can change the solidDBadministrative user password.

v <new_password> is the new password that you want to set for <db_username>.For example, to change the default administrative user password tonewpassword123, issue the command alter user dba identified bynewpassword123;.

6. To complete the password change for the solidDB user, issue the commandcommit work; and then issue the command exit;.

7. Optional: This step is only required if you have changed the solidDB userpassword. Do not complete this step for a change to the solidDB administrativeuser password. After changing the solidDB user password, you will need tochange the password that is registered with the AppScan Source Database:a. Open a command prompt and change directory to <install_dir>\bin

(where <install_dir> is the location of your AppScan Source installation).b. On Windows, issue the command OunceServer.exe -a <new_password>. On

Linux, issue the command ounceserverd -a <new_password>. For both,<new_password> is the new password that was specified when changing thesolidDB user password in the above steps.

AppScan Source predefined filters (Version 8.7.x and earlier)This topic lists predefined filters that were included in AppScan Source Version8.7.x and earlier.


If you need to access these filters, follow the instructions in “Restoring archivedpredefined filters” on page 118.

! - The Vital Few

This filter matches findings from some of the most dangerous vulnerabilitycategories. Only findings which originate in an external network communicationssource are included. This filter provides a laser-focused starting point for high riskfindings. The specific categories which are included in this filter are:Vulnerability.BufferOverflowVulnerability.BufferOverflow.FormatStringVulnerability.PathTraversalVulnerability.CrossSiteScriptingVulnerability.CrossSiteScripting.ReflectedVulnerability.CrossSiteScripting.StoredVulnerability.InjectionVulnerability.Injection.LDAPVulnerability.Injection.SQLVulnerability.Injection.OSVulnerability.Injection.XMLVulnerability.Injection.XPath

High Priority - External Communications

This filter matches findings which originate from outside the application andacross a network. This filter matches findings which originate at anyTechnology.Communications source.

High Priority - Important Types

This filter contains findings from some of the most dangerous vulnerabilitycategories, such as CrossSiteScripting and Injection.SQL. The specific categorieswhich are included in this filter are:Vulnerability.AppDOSVulnerability.Authentication.Credentials.UnprotectedVulnerability.Authentication.EntityVulnerability.BufferOverflowVulnerability.BufferOverflow.FormatStringVulnerability.CrossSiteScriptingVulnerability.CrossSiteScripting.ReflectedVulnerability.CrossSiteScripting.StoredVulnerability.InjectionVulnerability.Injection.LDAPVulnerability.Injection.OSVulnerability.Injection.SQLVulnerability.Injection.XMLVulnerability.Injection.XPathVulnerability.PathTraversal

Low Priority - Test Code

This filter contains findings from test code. Specific types in this filter include:Vulnerability.Quality.TestCode

Noise - Copy-like Operations

This filter contains findings that are concerned with copy-like operations. Acopy-like operation occurs when data is taken from a source which may or maynot be trusted, but actions performed on the data are trusted.


These patterns are looked for:Technology.Database --> Vulnerability.Injection.SQLMechanism.SessionManagement --> Mechanism.SessionManagementTechnology.XML, Technology.XML.DOM, Technology.XML.Schema,Technology.XML.XPath --> Vulnerability.AppDOS.XML,Vulnerability.Injection.XML

Noise - Logging Issues

This filter contains findings related to error handling. The findings found emanatefrom an error handling routine to a logging mechanism. This pattern is matched:Mechanism.ErrorHandling -->Vulnerability.Logging, Vulnerability.Logging.Forge, Vulnerability.Logging.Required

Noise - Low Severity

This filter contains findings with a severity of Low. All classifications are included.

Noise - Trusted Source

This filter contains findings that emanate from a trusted source. Only findings thathave java.lang.System.getProperty.* as their source are included in this filter.

Restoring archived predefined filtersPredefined filters that were provided in AppScan Source prior to Version 8.8 can beadded back to the product by following the steps in this task. Once restored on asingle machine, they can be managed in the same manner as filters that you create(for example, they can be shared to multiple clients).

About this task

Archived predefined filters are located in <data_dir>\archive\filters (where<data_dir> is the location of your AppScan Source program data, as described in“Installation and user data file locations” on page 57).

Procedure1. In <data_dir>\archive\filters, locate the filter or filters that you want to

restore (AppScan Source filters have a .off file extension).2. Copy the filter or filters to <data_dir>\scanner_filters.3. Restart AppScan Source.

What to do next

To learn how to manage filters (including archived filters that you have restored),see “Creating and managing filters in the Filter Editor view.”

Creating and managing filters in the Filter Editor viewIn this view, you can create, edit, save, delete, and manage filters. If you are usingAppScan Source for Analysis, you can share filters and access filters that have beenshared by others. In AppScan Source for Development, you can access sharedfilters if you are using server mode and logged in to the AppScan EnterpriseServer.


Procedure1. In the “Filter Editor view” on page 120 toolbar, click New. The new filter name

is Untitled<-number> (where the first new untitled filter is Untitled and thenext new untitled filter is Untitled-1, and so on).

Note: In AppScan Source for Development (Visual Studio plug-in), this view ispart of the Edit Filters window.

2. Expand the categories and select the criteria that you want for the filter.3. Click Save or Save As.4. Name the filter and click OK. The new filter name replaces Untitled<-number>

in the list of filters.

What to do next

To apply the filter, select it in the Filter Editor view drop down menu.

Note: Filters that are applied outside of the Vulnerability Matrix view may notaffect the Vulnerability Matrix view. The Vulnerability Matrix view Show thecounts of filtered findings toolbar button must be selected for the filter to bereflected in the Vulnerability Matrix view.

Filters can be managed directly in the Filter Editor view by selecting the filter inthe list and then working with it - or you can click Manage Filters to open theManage Filters dialog box, which provides a list of saved filters.v Modifying filters: Select the filter in the Filter Editor view or in the Manage

Filters dialog box and then modify its filter rules and save the changes.

Note: Built-in filters cannot be modified or deleted.v Deleting filters: Select the filter in the Filter Editor view or in the Manage

Filters dialog box and then click Delete. In the Manage Filters dialog box, youcan select multiple filters and click Delete to remove them at the same time.

v Creating a filter from another filter: You can modify a filter and then click SaveAs to save it as a filter with a new name. This allows you to create a new filterby building on the settings of an existing filter. You can do this in both the FilterEditor view and the Manage Filters dialog box.

Tip: The same thing can be accomplished by opening a filter and using the SaveAs action to save it with a new name. You can then open the new filter andmodify it. By choosing this method, you can create a new filter from one of thebuilt-in filters.

v Reverting filter settings: If you modify the properties of a filter and want toundo those changes, click Revert to return the filter to its last saved settings.This action can be performed in both the Filter Editor view and the ManageFilters dialog box. In the dialog box, if you have multiple filters with unsavedchanges, clicking Revert will cause all selected filters with unsaved changes tobe reverted back to their saved settings.

v Sharing filters (AppScan Source for Analysis only): To create a shared filter,open a filter in the Filter Editor and click Share Filter on the Filter Editor viewtoolbar.

Note: To modify, delete, or create shared filters, you must have must haveManage Shared Filters permission. To learn about setting permissions, see theIBM Security AppScan Source Installation and Administration Guide.


Filter Editor viewThe Filter Editor view provides a more granular manipulation of the currentlyselected filter than other AppScan Source views. This view consists of all criteriaon which you can filter.

Note: In AppScan Source for Development (Visual Studio plug-in), this view ispart of the Edit Filters window.

Tip: In the Filter Editor view Trace section, hovering over a trace entry providesdetails about the entry.


Legal notices

(C) Copyright IBM Corporation 2003, 2014.

Portions based on Design Patterns: Elements of Reusable Object-Oriented Software,by Erich Gamma, Richard Helm, Ralph Johnson and John Vlissides, Copyright (C)1995 by Addison-Wesley Publishing Company, Inc. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in thisdocumentation in other countries. Consult your local IBM representative forinformation on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or implythat only that IBM product, program, or service may be used. Any functionallyequivalent product, program, or service that does not infringe any IBM intellectualproperty right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this documentation. The furnishing of this documentation does notgive you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ORCONDITIONS OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be


incorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of thosewebsites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

Intellectual Property Dept. for Rational SoftwareIBM Corporation20 Maguire RoadLexington, Massachusetts 02421-3112U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this documentation and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples may includethe names of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

Copyright license


This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

(C) (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. (C) Copyright IBM Corp. 2003, 2011.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

Trademarks and service marks

See http://www.ibm.com/legal/copytrade.shtml.

Legal notices 123

http://www.ibm.com/legal/copytrade.shtml

Index

Aactivate 99application

defined 6AppScan Enterprise Server

change password 110SSL certificate 111

AppScan Sourceaccessibility issues 15AppScan Enterprise Server login 110

change password 110SSL certificate 111

for Analysis 1concepts 6

for Automation 1for Development 1product family 1

AppScan Source filesepf 112ewf 112gaf 112gpf 112paf 112ppf 112

AppScan Source for Automation 82installing 82syntax 83

AppScan Source for Developmentplug-in 77

AppScan Source Installation Wizard 55AppScan Source products 1AppScan Source Security

Knowledgebase 1AppScan Source solidDB 72, 73assessment 6attributes

defined 6

Bbacking up the AppScan Source

database 72bundles 6

Cclassification

definitive 7scan coverage 7suspect 7

command linecustom installation 90, 96ounceautod 82

common installation scenarios 21install all components on one

machine 22install AppScan Source components in

a multi-machine environment 30integrate with existing AppScan

Enterprise Server 40

common installation scenarios (continued)migrate Rational AppScan Source

Edition Version 8.0.x or earlier toVersion 8.6.x 48

create filterfilter editor 119

custom installation 87Custom Installation Wizard 87, 89, 93,

94

Ddefault installation directory 18, 56, 57deployment 8, 91, 97

enterprise workgroup 12small workgroup 11standard desktop 9

FFederal Information Processing

Standard 14filter

createin Filter Editor view 119

predefined archive 117access 118

shared 119Filter Editor view 120findings

classification 7FIPS 14

Iinstallation

AppScan Source for Development 76AppScan Source for Development

plug-in for Visual Studio 81configurations 105custom 87data location 18, 57

changing 58Developer Plug-in 77, 79

quality component 80Eclipse plug-in 76, 78Eclipse quality plug-in 80file location 18, 57Linux server 89, 94Microsoft Windows 56setup.bin 55setup.bin.gz 55setup.exe 55silent 87, 93Visual Studio Plug-in 81

installingAppScan Enterprise Server 60, 61AppScan Source

fix pack 84AppScan Source Database 61

installing (continued)register 71

AppScan Source for Automation 82AppScan Source for Development

plug-in for Eclipse 77change IBM solidDB password 116change IBM solidDB port 115OS X 73to an existing Oracle database 65

Internet Protocol Version 6 14IPv6 14

JJRE version 1.5 requirement 76, 78, 80

KKnowledgebase 1

LLDAP 108, 111License Manager 99

licensefloating 100import 99viewing 101

LinuxEclipse plug-in installation 76, 78setup.sh 56, 77uninstall 103

Linux installationsetup.bin.gz 55

Mmanaging users 106

automatic login of AppScan EnterpriseServer users 107

Automation Server user 108Microsoft Windows 17

uninstall 103Migrating

Version 8.7 to Version 9.0 4

NNational Institute of Standards and

Technology 14NIST 14

OOCI libraries 69Oracle 72Oracle Client libraries. 69


OS Xuninstall 103

OUNCE_CONFIG_FILE 88, 90, 93, 96Ounce/Ant 112Ounce/Make 112Ounce/Maven Plug-in 112ounceautod 82

Ppassword 106permissions 105, 106ports 114

default 114forwarding 115

products 1projects

defined 6

Rregistering applications and projects 112restoring the AppScan Source

database 73

Ssetup.sh 56, 77shared filter 119silent installation 87, 93system requirements 17systems supported in Visual Studio 81

Uuninstall 103user

audit 109user account 105

migrate 109user name 106

Vviews

Filter Editor 120Visual Studio

systems supported 81vulnerability

definition 6

WWhat's New 2workflow 7


��

Printed in USA

ibm security appscan source: installation and administration guide

Documents