Setting up the AppScan 360° environment
Before installing AppScan 360°, setup your environment for optimal deployment.
- Deployment system
- Each Kubernetes
cluster:
- An ingress controller
- Cert-manager
- metrics server
- MSSQL Server
- Active Directory (LDAP)
- Network
- Storage
- CPU and memory
- Database
- Browser
- Identity provider
- Screen resolution
- Access points
HCL ID
Your HCL ID associates your account with valid licenses and access to software and support. It is required for access to HCL License and Download Portal and HCL Harbor.
For complete information about creating an HCL ID and accessing licenses and software, see this document.
Linux system
An Ubuntu Linux system, version 22:04 or newer, is required to initiate deployment.
The actual deployment can be in a remote Kubernetes cluster, but the deployment is
initiated from this Linux machine. The system must have Bash shell and
openssl
installed, and be able to connect to the designated SQL
server.
inotify
instances in the kernel in all nodes where dynamic scans are run:- Add
fs.inotify.max_user_instances=524288
to /etc/sysctl.conf. - Reboot the node for the changes to take effect.
Local container service (Docker)
Docker is a local container service that can push images to a remote registry. It is required when installing ASCP and the AppScan Remediation Advisories from an archive file downloaded from HCL License and Download Portal.
Kubernetes cluster
The cluster is where ASCP agent containers reside and are put to use.
A storage provider that supports ReadWriteMany
is required. If a
custom storage provider like longhorn
is to be used, then ensure
that it supports `ReadWriteMany
.
Kubectl
Kubectl is used to communicate with remote Kubernetes clusters.
Complete instructions for installing and configuring Kubectl can be found here.
Helm 3
Helm 3 is a set of resources that makes it easier to configure and use Kubernetes applications.
Complete instructions for installing the Helm CLI can be found here.
Verify communication between Linux and component services
> kubectl version
or
> kubectl get nodes
To validate Docker connectivity, run:
> docker version
> helm version
Ingress controller
Deploy an ingress controller that supports HTTPS backend protocol.
The recommended ingress controller is NGINX (latest version). However, if an appropriate ingress controller is already present in the cluster, then no need to install a new one.
-
proxy-body-size
: 2g -
proxy-connect-timeout
: 3600 -
proxy-read-timeout
: 3600 -
proxy-send-timeout
: 3600 -
enable-access-log-for-default-backend
: true -
ssl-redirect
: true -
use-http2
: true -
use-forwarded-headers
: true -
compute-full-forwarded-for
: true
Cert-manager
Install and configure Cert-manager.
MSSQL
MSSQL is a relational database management system.
Active Directory (LDAP)
Active Directory authenticates and authorizes all users and computers in a network, assigning and enforcing security policies for network access.
Network
Network should be encrypted and support network policy.
Storage
AppScan 360° uses two types of storage. The storage space needed depends largely on the number of scans and the size of the application being scanned. As a guideline, the average size of storage required for a single scan execution is:
- MSSQL server DB storage: 150 KB
- File storage: 10 MB
Scan executions | 1,000 | 100,000 | 1,000,000 |
---|---|---|---|
MSSQL server storage | 150MB | 15GB | 150GB |
File storage | 10GB | 1TB | 10TB |
You can manually delete old scans to save space.
CPU and memory
CPU and memory requirements depend on the number of users and expected workload.
By default, the Kubernetes job allocates the minimum resources for each scan. In some cases, influenced by factors such as how active your users are, how much automation you use, the size of the application, and the frequency of scans, more resources may be required in for the scan to run properly; assuming resources are available, the pod will try to scale up to the maximum defined resources. If there are not enough resources to scale up, some scans might fail.
To maximize success, provide enough resources for the system to be able to scale up when needed. Resource allocation is derived from the number of concurrent scans.ASCP resources
When running ASCP only:Memory | CPU (vCore) | ||
---|---|---|---|
ASCP | |||
Minimum | 42GB | 10 | |
Maximum | 48GB | 12 |
Scanning resources
When running scans, additional resources:
Memory | CPU (vCore) | ||
---|---|---|---|
Dynamic analysis scanning: single scan | |||
Minimum | 3GB | 2 | |
Recommended | 4GB | 3 | |
Dynamic analysis scanning: five concurrent scans | |||
Minimum | 15GB | 10 | |
Recommended | 20GB | 15 | |
Dynamic analysis scanning: ten concurrent scans | |||
Minimum | 30GB | 20 | |
Recommended | 40GB | 30 | |
Static analysis scanning: single scan | |||
Minimum | 16GB | 2 | |
Maximum | 28GB | 4 | |
Static analysis scanning: five concurrent scans | |||
Minimum | 80GB | 10 | |
Maximum | 140GB | 20 | |
Static analysis scanning: ten concurrent scans | |||
Minimum | 160GB | 20 | |
Maximum | 280GB | 40 |
- Multiply the listed scanning resources for a single scan above by the number
of expected concurrent scans, and add this to the ASCP resources.For example:
- The minimum resources for five concurrent scans would be 122GB memory and 20 CPUs (42GB for ASCP + 80GB for scanning and 10 CPUs for ASCP + 10 CPUs for scanning).
- The minimum resources for 12 concurrent scans would be 234GB memory and 34 CPUs (42GB for ASCP + 192GB for scanning and 10 CPUs for ASCP + 24 CPUs for scanning).
- Ensure a sufficient number of AppScan 360° licenses as issued during the ASCP installation.
- Define the Kubernetes configuration and availability of resources to allow multiple scans to be up and running at the same time.
- We do not recommend exceeding 25 concurrencies.
The maximum number of each service depends on the expected peak scan load profile, that is, the peak number of scans submitted, percentage scanning source code/binary, and percentage scanning IRXs. Because of these unknowns, the optimal configuration may not be possible to define at the initial deployment. The HCL AppScan 360° configuration can be adjusted based on actual scan load.
Database
- Database installation, management, backup, maintenance, and licensing are the user’s responsibility.
- MSSQL Server 2019 and above are supported.
- Before installing HCL AppScan 360°, make sure to have a user with
db_creator
permissions.
Browser
- Chrome
- Safari
- Edge
- Firefox
Identity Provider
Administrator | Application Manager | |
Username | Admin | User |
Password | Admin12! | User12! |
To onboard additional users, HCL AppScan 360° requires Microsoft Active Directory.
Screen resolution
The recommended screen resolution for HCL AppScan 360° is 1920 x 1080.
Access points
Component | Ingress URL |
---|---|
User Portal | https://<CK_CONFIGURATION_DISCLOSED_SITE_URL> |
User API | https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/api
|
User API (swagger) | https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/swagger
|