Preparing the configuration file

After setting up the AppScan 360° environment and before installing, prepare the configuration file, singular-singular.clusterKit.properties or singular-singular.clusterKit.yaml. This is the file to which the AppScan 360° central platform and AppScan Remediation Advisories installation files refer during installation.

To prepare the configuration file:
  1. Create a new file in the text editor of your choice.
  2. Populate the file with appropriate parameters as described in the table below.
    Note: You can supply a server certificate as part of the customization file to be used as the service entry point ingress certificate. If used, it should be provided as a PEM-structured certificate, as follows:
    • Public key in *.crt or *.cer file
    • Private key in *.key file
  3. Name the file singular-singular.clusterKit.properties or singular-singular.clusterKit.yaml, according to your installation method, and save it to the folder to which you have saved, or intend to save, the installation kit.
    Note: The self-extracting installation file must be able to locate this file during the installation process.

Configuration notes

You can supply a server certificate as part of the customization file to be used as the service entry point ingress certificate. If used, it should be provided as a PEM-structured certificate, as follows:
  • Public key in *.crt or *.cer file
  • Private key in *.key file

Configuration parameters

Note: Enclose all parameter values with quotes.
Tip: Click the right arrow (>) on the upper right of this page to expand the table content.
Parameter Description Example value
CK_DOCKER_REGISTRY_ADDRESS Docker image registry address (FQDN), possibly with a port, separated by a colon pi-dpr-lin.appscan.com
CK_DOCKER_REGISTRY_USERNAME Docker image registry user name
CK_DOCKER_REGISTRY_PASSWORD Docker image registry password
CK_CNI_NETWORK_DOMAIN_SUFFIX Designated domain service name appscan.com
CK_CSI_STORAGE_CLASS_NAME Kubernetes storage driver class name longhorn
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME

Kubernetes predefined PV (Persistent Volume) to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system.

Note:
  • Optional. If left empty, the designated PV is generated automatically by the PVC.
  • This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data.
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY Kubernetes shared storage designated size, to be calculated before installation, following the calculation logic described in . 100Gi
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED Indicates whether the ingress controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself). false
CK_INGRESS_INTERNAL_CLASS The ingress class name to be used when deploying ingresses into the Kubernetes cluster. nginx
CK_INGRESS_INTERNAL_HOST_DOMAIN

The domain to be used when deploying ingresses into the Kubernetes cluster for building the host name.

Note: If left empty, it will be taken from CK_CNI_NETWORK_DOMAIN_SUFFIX
 appscan.com
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN Subdomain to be used when deploying ingresses into the Kubernetes cluster for building the host name. expo.ascp
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED Indicates whether to use a given certificate as the applicable external (out-of-cluster) microservices ingress certificates.
Note: Supply a server certificate as part of the customization file to be used as the service entry point ingress certificate, or, supply the certificate as a PEM structured certificate, as follows:

  • Public key in .crt or .cer file

  • Private key in .key file
 false
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 Supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. <BASE64_ENCODED_VALUE>
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 Supplied public key of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. <BASE64_ENCODED_VALUE>
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 Supplied private key of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. <BASE64_ENCODED_VALUE>
CK_CONFIGURATION_DISCLOSED_SITE_URL AppScan 360° frontend URL.
Note: Do not include a trailing forward slash (/) in the URL.
 https://expo.ascp.appscan.com
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE
Define your method for on-boarding new users:
  • AutoOnboard: Any user with access to the server can log in to AppScan 360°.
  • GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
  • ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
 AutoOnboard
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN LDAP server/service domain.
Important: When upgrading from AppScan 360° version 1.1.0 or earlier, the LDAP configuration cannot be reused as is. You must verify all LDAP parameters meet current/updated AppScan 360° requirements before installing.
 appscan.il
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME LDAP server/service user name for establishing connection.
Note: Relevant when 'ManualOnboard' is selected for the 'CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE.
 <LDAP_USERNAME>
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS

The customer's list of LDAP groups (comma-separated) that are authorized to access AppScan 360°

Note: Relevant when "GroupsAccess" is indicated for CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE.
CK_CONFIGURATION_DISCLOSED_LDAP_SSL Indicates whether to establish a secure connection (over SSL/TLS) towards an LDAP server/service. false
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU Designated location of the users in the AD (Active Directory) for LDAP queries. Used to authenticate AD users during login to AppScan 360°. Users,DC=appscan,DC=com
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST SMTP mail server/service host name. wfilsus.israel.ottawa.watchfire.com
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT SMTP mail server/service port. 25
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME SMTP mail server/service user name for establishing connection. <SMTP_USERNAME>
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL Indicates whether to establish a secure connection (over SSL/TLS) towards an SMTP mail server/service. false

CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST

Optional. The host name of a dedicated upstream proxy.

 10.255.255.255
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT Optional. The port of a dedicated upstream proxy. 3762
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME Optional. The username of a dedicated upstream proxy. ProxyUserName
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION MSSQL data store (database) connection string used to established a connection with the database. <DB_CONNECT_STRING>
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD

LDAP server/service password for establishing connection.

Note: Relevant when "ManualOnboard" is indicated for 'CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE.
 <LDAP_PASSWORD>
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD SMTP mail server/service password for establishing connection. <SMTP_PASSWORD>
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD Optional. The password of a dedicated upstream proxy. <PROXY_PASSWORD>

Sample singular-singular.clusterKit.properties

#
## Docker Registry info
#

CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'

#
## Network info
#

CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'

#
## Storage info
#

CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'

#
## Ingress info
#

CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'

#
## Customer certificate info 
#

CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64='   '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64='  '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64='  '

#
## Configuration/Disclosed info
#

CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'

#
## Configuration/Confidential info
#

CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''

Sample singular-singular.clusterKit.yaml

# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
  # customer:
  #   certificate:
  #     ingress:
  #       # CUSTOMIZE_ME:
  #       # Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
  #       enabled: false
  #       secret:
  #         data:
  #           # CUSTOMIZE_ME:
  #           # The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
  #           caCrtAsBase64: ''
  #           # CUSTOMIZE_ME:
  #           # The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
  #           tlsCrtAsBase64: ''
  #           # CUSTOMIZE_ME:
  #           # The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
  #           tlsKeyAsBase64: ''
  workload:
    dockerPrivateRegistry:
      secret:
        enabled: true
        name: ascp-docker-registry-secret
        data:
          # Auto generated Docker private registry user credentials configuration
          jsonConfigAsBase64: ""
  storage:
    pvc:
      linux:
        enabled: true
        # The customer's K8S storage driver access mode
        #   NOTE: Set on 'ReadWriteMany' and should not be changed
        accessMode: ReadWriteMany
        # CUSTOMIZE_ME:
        # The customer's K8S storage driver class name
        #   NOTE: The CSI driver must support 'ReadWriteMany' access mode
#       storageClassName: freenas-nfs-csi
        storageClassName: longhorn
        # CUSTOMIZE_ME:
        # The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
        #   NOTES:
        #   1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
        #   2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
        #   3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
        #     3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
        #     3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
        volumeName: null
        # CUSTOMIZE_ME:
        # The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
        requestedCapacity: 50Gi
  ca:
    seed:
      enabled: true
      issuer:
        name: appscan-seed-ca-clusterissuer
        kind: ClusterIssuer
    root:
      secret:
        data:
          # Auto generated root CA certificate
          tlsCrtAsBase64: null
          # Auto generated root CA private key
          tlsKeyAsBase64: null
      certificate:
        name: appscan-root-ca-cert
        duration: 26280h0m0s # 3 years
        renewBefore: 8760h0m0s # 1 year
  # ingress:
  #   controller:
  #     capabilities:
  #       # CUSTOMIZE_ME:
  #       # Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
  #       isHttpsBackendProtocolSupported: true
  #   internal:
  #     # CUSTOMIZE_ME:
  #     # The ingress class name to be used when deploying ingresses into the customer's K8S cluster
  #     class: nginx
  #     host:
  #       # CUSTOMIZE_ME:
  #       # The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
  #       #   NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
  #       domain: appscan.com
  #       # CUSTOMIZE_ME:
  #       # The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
  #       subDomain: as360
  network:
    # CUSTOMIZE_ME:
    # The customer's designated (main) domain name
    domainSuffix: appscan.com
  configuration:
    disclosed:
      # CUSTOMIZE_ME:
      # AS360 frontend URL (of the UI)
      #   NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
      siteUrl: ''
      # CUSTOMIZE_ME:
      # The customer's LDAP server/service domain
      ldapDomain: ''
      # CUSTOMIZE_ME:
      # The customer's LDAP server/service user name (for establishing connection)
      #   NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
      ldapUsername: ''
      # CUSTOMIZE_ME:
      # The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
      #   NOTE: Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
      ldapAuthorizedGroups: ''
      # CUSTOMIZE_ME:
      # Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
      #   NOTE: Valid values are 'True' or 'False'
      ldapSsl: ''
      # CUSTOMIZE_ME:
      # The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
      ldapTargetOU: ''
      # CUSTOMIZE_ME:
      # The customer's SMTP mail server/service host name
      mailSmtpHost: ''
      # CUSTOMIZE_ME:
      # The customer's SMTP mail server/service port
      mailSmtpPort: ''
      # CUSTOMIZE_ME:
      # The customer's SMTP mail server/service user name (for establishing connection)
      mailSmtpUserName: ''
      # CUSTOMIZE_ME:
      # Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
      #   NOTE: Valid values are 'True' or 'False'
      mailSmtpEnableSsl: ''
      # CUSTOMIZE_ME:
      # Define your method for onboarding new users:
      #   AutoOnboard: Any user with access to the server can log in to AppScan 360°.
      #   GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
      #   ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
      externalIDPMode: ''
      # CUSTOMIZE_ME:
      # Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
      # holding the customer's upstream proxy settings (for establishing connection), if applicable.
      #   NOTES:
      #     1. Currently there is NO support using a script to configure the upstream proxy settings
      # The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
      upstreamProxyHost: ''
      # CUSTOMIZE_ME:
      # The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
      upstreamProxyPort: ''
      # CUSTOMIZE_ME:
      # The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
      upstreamProxyUsername: ''
    confidential:
      # CUSTOMIZE_ME:
      # The customer's MSSQL data store (database) connection string (used to established a connection with the database)
      defaultConnection: ''
      # CUSTOMIZE_ME:
      # The customer's LDAP server/service password (for establishing connection)
      #   NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
      ldapPassword: ''
      # CUSTOMIZE_ME:
      # The customer's SMTP mail server/service password (for establishing connection)
      mailSmtpPassword: ''
      # CUSTOMIZE_ME:
      # The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
      upstreamProxyPassword: ''
      #
      # Below entries are not required for ASOP/AS360
      #
      opsConsoleDPKey : ''
      oktaClientSecret: ''
      oktaApiToken: ''
      licenseApiKey: ''
      githubClientSecret: ''
common:
  ingress:
    enabled: false
  service:
    enabled: false
  helmHooks:
    rbacBaseName: helm-hooks-rbac

ascp-user-portal-ui:
  enabled: true

ascp-domain-challenger:
  enabled: true

ascp-egress-gatekeeper:
  enabled: true

ascp-mr-tasks-manager:
  enabled: true

ascp-mr-user-api:
  enabled: true

ascp-mr-scanners-api:
  enabled: true

ascp-mr-presence-api:
  enabled: true