Setting up the single VM environment

Before installing AppScan 360° using the single VM script, setup your environment for optimal deployment.

The environment in which you install and deploy AppScan 360° requires setup of prerequisite tools for optimal performance:

HCL ID
Linux system
Local container service (Docker)
Kubectl
Helm 3
Kubectl
MSSQL server
Active Directory (LDAP)
Network
Storage
CPU and memory
Database
Browser
Identity Provider
Access points
Screen resolution
Addiitonal information

HCL ID

Your HCL ID associates your account with valid licenses and access to software and support. It is required for access to HCL License and Download Portal and HCL Harbor.

For complete information about creating an HCL ID and accessing licenses and software, see this document.

Linux system

An Ubuntu Linux system, version 22.04 or newer, is required to initiate deployment. The actual deployment can be in a remote Kubernetes cluster, but the deployment is initiated from this Linux machine. The system must have Bash shell and openssl installed, and be able to connect to the designated SQL server.

For dynamic scanning, increase the number of inotify instances in the kernel in all nodes where dynamic scans are run:

Add fs.inotify.max_user_instances=524288 to /etc/sysctl.conf.
Reboot the node for the changes to take effect.

Local container service (Docker)

Docker is a local container service that can push images to a remote registry. It is required when installing ASCP and the AppScan Remediation Advisories from an archive file downloaded from HCL License and Download Portal.

Kubectl

Kubectl is used to communicate with remote Kubernetes clusters.

Complete instructions for installing and configuring Kubectl can be found here.

Helm 3

Helm 3 is a set of resources that makes it easier to configure and use Kubernetes applications.

Complete instructions for installing the Helm CLI can be found here.

MSSQL

MSSQL is a relational database management system.

Active Directory (LDAP)

Active Directory authenticates and authorizes all users and computers in a network, assigning and enforcing security policies for network access.

Important: When upgrading from AppScan 360° version 1.1.0 or earlier, the LDAP configuration cannot be resused as is. You must verify all LDAP parameters meet AppScan 360° version 1.2 requirements before installing.

Network

Network should be encrypted and support network policy.

Important: We strongly recommend that the certificate installed for communication between the client and AppScan 360° be a trusted certificate. In the absence of a trusted certificate, the communication between client and AppScan 360° will be untrusted; the clients can import the certificate into the client's JRE keystore. However, this option may not work for static analysis clients (such as an Azure plugin) that download the Static Analyzer Command Line Utility (SAClientUtil) from AppScan 360° automatically.

Storage

AppScan 360° uses two types of storage. The storage space needed depends largely on the number of scans and the size of the application being scanned. As a guideline, the average size of storage required for a single scan execution is:

MSSQL server DB storage: 150 KB
File storage: 10 MB

Estimated storage per number of scan executions:


Scan executions	1,000	100,000	1,000,000
MSSQL server storage	150MB	15GB	150GB
File storage	10GB	1TB	10TB

Recommended minimum storage size for both the database and file storage is 200GB each for storing logs temporarily.

Note: Storage should be encrypted, redundant, sharable between pods, and support RWX (ReadWriteMany) access mode.

You can manually delete old scans to save space.

CPU and memory

CPU and memory requirements depend on the number of users and expected workload.

By default, the Kubernetes job allocates the minimum resources for each scan. In some cases, influenced by factors such as how active your users are, how much automation you use, the size of the application, and the frequency of scans, more resources may be required in for the scan to run properly; assuming resources are available, the pod will try to scale up to the maximum defined resources. If there are not enough resources to scale up, some scans might fail.

To maximize success, provide enough resources for the system to be able to scale up when needed. Resource allocation is derived from the number of concurrent scans.

ASCP resources

When running ASCP only:


		Memory	CPU (vCore)
ASCP
	Minimum	42GB	10
	Maximum	48GB	12

Note: ASCP resources are constant and in addition to resources required for scanning.

Scanning resources

When running scans, additional resources:


		Memory	CPU (vCore)
Dynamic analysis scanning: single scan
	Minimum	3GB	2
	Recommended	4GB	3
Dynamic analysis scanning: five concurrent scans
	Minimum	15GB	10
	Recommended	20GB	15
Dynamic analysis scanning: ten concurrent scans
	Minimum	30GB	20
	Recommended	40GB	30
Static analysis scanning: single scan
	Minimum	16GB	2
	Maximum	28GB	4
Static analysis scanning: five concurrent scans
	Minimum	80GB	10
	Maximum	140GB	20
Static analysis scanning: ten concurrent scans
	Minimum	160GB	20
	Maximum	280GB	40

To achieve additional concurrency, there must be sufficient additional resources available:

Multiply the listed scanning resources for a single scan above by the number of expected concurrent scans, and add this to the ASCP resources.
For example:
- The minimum resources for five concurrent scans would be 122GB memory and 20 CPUs (42GB for ASCP + 80GB for scanning and 10 CPUs for ASCP + 10 CPUs for scanning).
- The minimum resources for 12 concurrent scans would be 234GB memory and 34 CPUs (42GB for ASCP + 192GB for scanning and 10 CPUs for ASCP + 24 CPUs for scanning).
Ensure a sufficient number of AppScan 360° licenses as issued during the ASCP installation.
Define the Kubernetes configuration and availability of resources to allow multiple scans to be up and running at the same time.
We do not recommend exceeding 25 concurrencies.

The maximum number of each service depends on the expected peak scan load profile, that is, the peak number of scans submitted, percentage scanning source code/binary, and percentage scanning IRXs. Because of these unknowns, the optimal configuration may not be possible to define at the initial deployment. The HCL AppScan 360° configuration can be adjusted based on actual scan load.

Note: To perform a scan, the required resources for a scan should be available on a single node. The recommended nodes for a static scan should have at least 28GB of RAM and four cores; the recommended nodes for a dynamic scan should have at least 4GB of RAM, three cores, and 200GB of disk space for storing logs temporarily.

Database

Database installation, management, backup, maintenance, and licensing are the user’s responsibility.
MSSQL Server 2019 and above are supported.
Before installing HCL AppScan 360°, make sure to have a user with db_creator permissions.

Browser

AppScan 360° supports the latest versions of the following browsers:

Chrome
Safari
Edge
Firefox

Identity Provider

Two local users are created during the installation process.

	Administrator	Application Manager
Username	Admin	User
Password	Admin12!	User12!

To onboard additional users, HCL AppScan 360° requires Microsoft Active Directory.

Access points

Component	Ingress URL
User Portal	`https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>`
User API	`https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/api`
User API (swagger)	`https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/swagger`

Note: Publishing the Ingress FQDN with the Ingress designated IP in the DNS server is required.

Screen resolution

The recommended screen resolution for HCL AppScan 360° is 1920 x 1080.

Additional information

The AppScan 360° single VM setup script ask as series of questions to configure your environment. Be prepared for the questions with the following information:

Do you want the setup procedure to verify availablity of minimum required resources?
Is the local VM connected to the local DNS server?
Is this installation intended to be a proof-of-concept for later full/distributed installation of AppScan 360°?
Will the install use an external certificate if this is not a proof-of-concept deployments?
Will the install use existing resources? That is, "Will you bring your own devices (MSSQL and Docker Private Registry)?" and/or, "Will you bring your own database (BYOD)?"
What is the domain name for the installation?
What is the shared storage capacity of the database in gigbytes?
What is the preferred identify provider method?
Do you want to connect with your Active Directory (AD)?
Do you want to connect with your SMTP mail relay?