Setting up the AppScan 360° environment

Before installing AppScan 360°, setup your environment for optimal deployment.

HCL ID

Your HCL ID associates your account with valid licenses and access to software and support. It is required for access to HCL License and Download Portal and HCL Harbor.

For complete information about creating an HCL ID and accessing licenses and software, see this document.

Linux system

An Ubuntu Linux system, version 22:04 or newer, is required to initiate deployment. The actual deployment can be in a remote Kubernetes cluster, but the deployment is initiated from this Linux machine. The system must have Bash shell and openssl installed, and be able to connect to the designated SQL server.

For dynamic scanning, increase the number of inotify instances in the kernel in all nodes where dynamic scans are run:
  1. Add fs.inotify.max_user_instances=524288 to /etc/sysctl.conf.
  2. Reboot the node for the changes to take effect.

Local container service (Docker)

Docker is a local container service that can push images to a remote registry. It is required when installing ASCP and the AppScan Remediation Advisories from an archive file downloaded from HCL License and Download Portal.

Kubernetes cluster

The cluster is where ASCP agent containers reside and are put to use.

A storage provider that supports ReadWriteMany is required. If a custom storage provider like longhorn is to be used, then ensure that it supports `ReadWriteMany.

Kubectl

Kubectl is used to communicate with remote Kubernetes clusters.

Complete instructions for installing and configuring Kubectl can be found here.

Helm 3

Helm 3 is a set of resources that makes it easier to configure and use Kubernetes applications.

Complete instructions for installing the Helm CLI can be found here.

Verify communication between Linux and component services

To validate Kubernetes connectivity, run:
> kubectl version
or
> kubectl get nodes

To validate Docker connectivity, run:

> docker version
To validate Helm connectivity, run:
> helm version

Ingress controller

Deploy an ingress controller that supports HTTPS backend protocol.

The recommended ingress controller is NGINX (latest version). However, if an appropriate ingress controller is already present in the cluster, then no need to install a new one.

The controller should meet the following requirements:
  • proxy-body-size: 2g

  • proxy-connect-timeout: 3600

  • proxy-read-timeout: 3600

  • proxy-send-timeout: 3600

  • enable-access-log-for-default-backend: true

  • ssl-redirect: true

  • use-http2: true

  • use-forwarded-headers: true

  • compute-full-forwarded-for: true

Cert-manager

Install and configure Cert-manager.

MSSQL

MSSQL is a relational database management system.

Active Directory (LDAP)

Active Directory authenticates and authorizes all users and computers in a network, assigning and enforcing security policies for network access.

Important: When upgrading from AppScan 360° version 1.1.0 or earlier, the LDAP configuration cannot be resused as is. You must verify all LDAP parameters meet AppScan 360° version 1.2 requirements before installing.

Network

Network should be encrypted and support network policy.

Important: We strongly recommend that the certificate installed for communication between the client and AppScan 360° be a trusted certificate. In the absence of a trusted certificate, the communication between client and AppScan 360° will be untrusted; the clients can import the certificate into the client's JRE keystore. However, this option may not work for static analysis clients (such as an Azure plugin) that download the Static Analyzer Command Line Utility (SAClientUtil) from AppScan 360° automatically.

Storage

AppScan 360° uses two types of storage. The storage space needed depends largely on the number of scans and the size of the application being scanned. As a guideline, the average size of storage required for a single scan execution is:

  • MSSQL server DB storage: 150 KB
  • File storage: 10 MB
Estimated storage per number of scan executions:
Scan executions 1,000 100,000 1,000,000
MSSQL server storage 150MB 15GB 150GB
File storage 10GB 1TB 10TB
Recommended minimum storage size for both the database and file storage is 200GB each for storing logs temporarily.
Note: Storage should be encrypted, redundant, sharable between pods, and support RWX (ReadWriteMany) access mode.

You can manually delete old scans to save space.

CPU and memory

CPU and memory requirements depend on the number of users and expected workload.

By default, the Kubernetes job allocates the minimum resources for each scan. In some cases, influenced by factors such as how active your users are, how much automation you use, the size of the application, and the frequency of scans, more resources may be required in for the scan to run properly; assuming resources are available, the pod will try to scale up to the maximum defined resources. If there are not enough resources to scale up, some scans might fail.

To maximize success, provide enough resources for the system to be able to scale up when needed. Resource allocation is derived from the number of concurrent scans.

ASCP resources

When running ASCP only:
Memory CPU (vCore)
ASCP
Minimum 42GB 10
Maximum 48GB 12
Note: ASCP resources are constant and in addition to resources required for scanning.

Scanning resources

When running scans, additional resources:

Memory CPU (vCore)
Dynamic analysis scanning: single scan
Minimum 3GB 2
Recommended 4GB 3
Dynamic analysis scanning: five concurrent scans
Minimum 15GB 10
Recommended 20GB 15
Dynamic analysis scanning: ten concurrent scans
Minimum 30GB 20
Recommended 40GB 30
Static analysis scanning: single scan
Minimum 16GB 2
Maximum 28GB 4
Static analysis scanning: five concurrent scans
Minimum 80GB 10
Maximum 140GB 20
Static analysis scanning: ten concurrent scans
Minimum 160GB 20
Maximum 280GB 40
To achieve additional concurrency, there must be sufficient additional resources available:
  • Multiply the listed scanning resources for a single scan above by the number of expected concurrent scans, and add this to the ASCP resources.
    For example:
    • The minimum resources for five concurrent scans would be 122GB memory and 20 CPUs (42GB for ASCP + 80GB for scanning and 10 CPUs for ASCP + 10 CPUs for scanning).
    • The minimum resources for 12 concurrent scans would be 234GB memory and 34 CPUs (42GB for ASCP + 192GB for scanning and 10 CPUs for ASCP + 24 CPUs for scanning).
  • Ensure a sufficient number of AppScan 360° licenses as issued during the ASCP installation.
  • Define the Kubernetes configuration and availability of resources to allow multiple scans to be up and running at the same time.
  • We do not recommend exceeding 25 concurrencies.

The maximum number of each service depends on the expected peak scan load profile, that is, the peak number of scans submitted, percentage scanning source code/binary, and percentage scanning IRXs. Because of these unknowns, the optimal configuration may not be possible to define at the initial deployment. The HCL AppScan 360° configuration can be adjusted based on actual scan load.

Note: To perform a scan, the required resources for a scan should be available on a single node. The recommended nodes for a static scan should have at least 28GB of RAM and four cores; the recommended nodes for a dynamic scan should have at least 4GB of RAM, three cores, and 200GB of disk space for storing logs temporarily.

Database

  • Database installation, management, backup, maintenance, and licensing are the user’s responsibility.
  • MSSQL Server 2019 and above are supported.
  • Before installing HCL AppScan 360°, make sure to have a user with db_creator permissions.

Browser

AppScan 360° supports the latest versions of the following browsers:
  • Chrome
  • Safari
  • Edge
  • Firefox

Identity Provider

Two local users are created during the installation process.
Administrator Application Manager
Username Admin User
Password Admin12! User12!

To onboard additional users, HCL AppScan 360° requires Microsoft Active Directory.

Screen resolution

The recommended screen resolution for HCL AppScan 360° is 1920 x 1080.

Access points

Component Ingress URL
User Portal https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>
User API https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/api
User API (swagger) https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/swagger
Note: Publishing the Ingress FQDN with the Ingress designated IP in the DNS server is required.