HCL AppScan 360° Prerequisite Instructions

This document provides a comprehensive checklist of prerequisites for deploying HCL AppScan 360°, covering the Deployment Server, Kubernetes Cluster, External Dependencies, and resource requirements. Use the validation commands to verify setup. For detailed configuration instructions, refer to the Preparing the configuration file Guide.

Deployment Server Prerequisites

The Deployment Server is a Linux-based system used to initiate and manage the AppScan 360° deployment.


Category	Requirement
Operating system	Ubuntu Linux 24.04 or newer
Software	Bash shell Docker (for local container service to push images to a remote registry, see Docker Installation) Kubectl (for Kubernetes cluster management, see Kubectl Installation) Helm 3 (versions 3.14 to 3.17, see Helm Installation)
Configuration	Must connect to the designated MSSQL Server Must communicate with Kubernetes cluster services

Kubernetes Cluster Prerequisites

The Kubernetes cluster hosts the AppScan 360° platform and requires specific components and configurations.


Category	Requirement
Components	Ingress controller (e.g., NGINX, version 1.11.5 or 1.12.1 or later) Configuration: - proxy-body-size: 2g - proxy-connect-timeout: 3600 - proxy-read-timeout: 3600 - proxy-send-timeout: 3600 - enable-access-log-for-default-backend: true - ssl-redirect: true - use-http2: true - use-forwarded-headers: true - compute-full-forwarded-for: true Cert-manager (version 1.11.0 or compatible) Reference: Cert-manager Installation
Storage	Storage class supporting ReadWriteMany (RWX) access modes for persistent volumes Kubernetes CSI driver with fsGroup security context support
Networking	Dual-stack IPv4/IPv6 enabled if IPv6 is required Network policy support for encrypted communication
Worker nodes	Ensure sufficient resources for dynamic and static scanning (see Resource Requirements)

Note: For dynamic scanning, increase the number of inotify instances in the kernel in all nodes where dynamic scans are run:

Add fs.inotify.max_user_instances=524288 to /etc/sysctl.conf .
Reboot the node for the changes to take effect.
For smaller clusters, 32800 may suffice, but 524288 is recommended for robust dynamic scanning.

External Dependencies

AppScan 360° relies on external services that must be configured and accessible.


Category	Requirement
Database	MSSQL Server 2019 or above, configured with db_creator permissions, accessible for storing scan data (approximately 150 KB per scan execution)
Authentication	SSO - OIDC (keycloak / Okta) OR Microsoft Active Directory / Domino (LDAP) via port 389/636/TCP For user authentication Default local users: Admin (password: Admin12!), User (password: User123!) created during installation
Email	SMTP Server via port 25/TCP for sending notifications
Licensing	Access to HCL License Management Portal via port 443/TCP for license activation (requires HCL ID)
Container Registry	Remote container registry (e.g., HCL Harbor) for storing and pulling AppScan 360 container images
Network	Trusted certificate for secure communication (import untrusted certificates into client JRE keystore if needed)
Storage	File storage for scan data (see Storage Requirements)

Storage Requirements

AppScan 360° requires MSSQL database and file storage. Estimated storage needs based on scan executions are:


Scan Executions	MSSQL Server Storage	File Storage
1,000	1GB	10GB
100.000	5GB	100GB
1,000,000	20GB	1000GB

Recommendation: Allocate a minimum of 200 GB for both MSSQL server storage and file storage to accommodate temporary logs. Storage must be encrypted, redundant, sharable between pods, and support ReadWriteMany (RWX) access mode. Old scans can be manually deleted to save space.

Resource Requirements

AppScan 360° Platform


Component	Memory (Min/Max)	CPU (vCore, Min/Max)
ASCP	42GB / 48GB	10/12

Scanning Resources


Scenario	Memory (Min/Rec)	CPU (vCore, Min/Rec)
Dynamic analysis scanning: single scan	3GB/4GB	2/3
Dynamic analysis scanning: five concurrent scans	15GB/20GB	10/15
Dynamic analysis scanning: ten concurrent scans	30GB/40GB	20/30
Static analysis scanning: single scan	16GB/28GB	2/4
Static analysis scanning: five concurrent scans	80GB/140GB	10/20
Static analysis scanning: ten concurrent scans	160GB/280GB	20/40
Software Composition Analysis (SCA) scanning: single scan	1GB/2GB	2/5
Software Composition Analysis (SCA) scanning: five concurrent scans	2GB/4GB	7/10
Software Composition Analysis (SCA) scanning: ten concurrent scans	4GB/6GB	10/12

Note: Resources scale with concurrent scans. Nodes require at least 28GB RAM and 4 cores for static scans, and 4GB RAM, 3 cores, and 200GB disk space for dynamic scans. Ensure sufficient AppScan 360° licenses and Kubernetes resource availability. Do not exceed 25 concurrent scans.

Validate Configuration

Verify prerequisites with the following commands:

Kubernetes Connectivity: kubectl version or kubectl get nodes
Docker Connectivity: docker version
Helm Connectivity: helm version
Cert-Manager: kubectl get pods --namespace cert-manager(ensure cert-manager pod is running)
Ingress: kubectl get ingress --all-namespaces (verify ingress resources)
Storage: kubectl get storageclass and kubectl get pv (check for RWX-capable storage)
SQL Connectivity: ping <MSSQL_SERVER_IP> (replace with actual IP)
Docker Login: docker login <PRIVATE_REGISTRY_URL> (replace with actual URL)

Additional Notes

HCL ID: Required for accessing HCL License and Download Portal and HCL Harbor.
Browser Support: Use the latest versions of Chrome, Safari, Edge, or Firefox for the AppScan 360 user interface.
Screen Resolution: Recommended resolution is 1920x1080 for optimal display.
Network Ports:
- 22/TCP (SSH to Deployment Server)
- 25/TCP (SMTP)
- 389/TCP (LDAP)
- 80, 443, 8080/TCP
Access Points:
- User Portal: https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>
- User API: https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/api
- User API (Swagger): https://<CK_CONFIGURATION_DISCLOSED_SITE_URL>/swagger
Note: Publish the Ingress FQDN with the designated IP in the DNS server.