Preparing the configuration file
After setting up the AppScan 360° environment and before installing,
prepare the configuration file, singular-singular.clusterKit.properties or singular-singular.clusterKit.yaml. This is the file to
which the AppScan 360° central platform, AppScan Remediation Advisories, and Software Composition Analysis (SCA)
installation files refer during installation.
To prepare the configuration file:
- Create a new file in the text editor of your choice.
- Populate the file with appropriate parameters as described in the table below.
Note: You can supply a server certificate as part of the customization file to be used as the service entry point ingress certificate. If used, it should be provided as a PEM-structured certificate, as follows:
- Public key in
*.crtor*.cerfile - Private key in
*.keyfile
- Public key in
- Name the file
singular-singular.clusterKit.propertiesorsingular-singular.clusterKit.yaml, according to your installation method, and save it to the folder to which you have saved, or intend to save, the installation kit.Note: The self-extracting installation file must be able to locate this file during the installation process. - Configure self-signed certificates, if appropriate.
Configuration notes
You can supply a server certificate as part of the customization file to be used as
the service entry point ingress certificate. If used, it should be provided as a
PEM-structured certificate, as follows:
- Public key in
*.crtor*.cerfile - Private key in
*.keyfile
Configuration parameters
Note: Enclose all parameter values with quotes.
Tip: Click the right arrow (>) on the upper right
of this page to expand the table content.
| Parameter | Description | Example value |
|---|---|---|
CK_DOCKER_REGISTRY_ADDRESS |
Docker image registry address (FQDN), possibly with a port, separated by a colon. | pi-dpr-lin.appscan.com |
CK_DOCKER_REGISTRY_USERNAME |
Docker image registry user name. | |
CK_DOCKER_REGISTRY_PASSWORD |
Docker image registry password. | |
CK_DOCKER_REGISTRY_CONTEXT |
Docker registry context. Set to empty string to push to root, or remove if not applicable. | |
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS |
Docker registry context for addons. Set to empty string to push
to root, or remove if not applicable. Can be set to same as
CK_DOCKER_REGISTRY_CONTEXT for
consistency. |
|
CK_HELM_REPOSITORY_CONTEXT |
Helm repository context. Set to empty string to push to root, or remove if not applicable. | |
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS |
Helm repository context for addons. Set to empty string to push
to root, or remove if not applicable. Can be set to same as
CK_HELM_REPOSITORY_CONTEXT for
consistency. |
|
CK_CNI_NETWORK_DOMAIN_SUFFIX |
Designated domain service name | appscan.com |
CK_CSI_STORAGE_CLASS_NAME |
Kubernetes storage driver class name | longhorn |
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME |
Kubernetes predefined PV (Persistent Volume) to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system. Note:
|
|
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
Kubernetes shared storage designated size, to be calculated before installation. | 100Gi |
CK_K8S_ASCP_NAMESPACE |
Optional. Namespace for platform components. | |
CK_K8S_ASRA_NAMESPACE |
Optional. Namespace for ASRA components. | |
NAMESPACE |
General namespace override for installation for SCA. | |
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED |
Indicates whether the ingress controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself). | false |
CK_INGRESS_INTERNAL_CLASS |
The ingress class name to be used when deploying ingresses into the Kubernetes cluster. | nginx |
CK_INGRESS_INTERNAL_HOST_DOMAIN |
The domain to be used when deploying ingresses into the Kubernetes cluster for building the host name. Note: If left empty, it will be taken from
CK_CNI_NETWORK_DOMAIN_SUFFIX |
appscan.com |
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN |
Subdomain to be used when deploying ingresses into the Kubernetes cluster for building the host name. | expo.ascp |
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED |
Indicates whether to use a given certificate as the applicable
external (out-of-cluster) microservices ingress certificates. Note: Supply a server certificate as part of the
customization file to be used as the service entry point ingress
certificate, or, supply the certificate as a PEM structured
certificate, as follows:
|
false |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 |
Supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 |
Supplied public key of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 |
Supplied private key of the certificate used as the applicable external (out-of-cluster) microservices ingress certificates. | <BASE64_ENCODED_VALUE> |
CK_CONFIGURATION_DISCLOSED_SITE_URL |
AppScan 360° frontend URL. Note: Do not include a trailing
forward slash (/) in the URL. |
https://expo.ascp.appscan.com |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE |
Define your method for on-boarding
new users:
|
AutoOnboard |
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN |
LDAP server/service domain. Important: When upgrading from AppScan 360°
version 1.1.0 or earlier, the LDAP configuration cannot be
reused as is. You must verify all LDAP parameters meet
current/updated AppScan 360° requirements before
installing. |
appscan.il |
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME |
LDAP server/service user name for establishing connection. Note: Relevant when 'ManualOnboard' is selected
for the
' CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE. |
<LDAP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS |
The customer's list of LDAP groups (comma-separated) that are authorized to access AppScan 360° Note: Relevant when "GroupsAccess" is
indicated for
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE. |
|
CK_CONFIGURATION_DISCLOSED_LDAP_SSL |
Indicates whether to establish a secure connection (over SSL/TLS) towards an LDAP server/service. | false |
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU |
Designated location of the users in the AD (Active Directory) for LDAP queries. Used to authenticate AD users during login to AppScan 360°. | Users,DC=appscan,DC=com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST |
SMTP mail server/service host name. | wfilsus.israel.ottawa.watchfire.com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT |
SMTP mail server/service port. | 25 |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME |
SMTP mail server/service user name for establishing connection. | <SMTP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL |
Indicates whether to establish a secure connection (over SSL/TLS) towards an SMTP mail server/service. | false |
|
|
Optional. The host name of a dedicated upstream proxy. |
10.255.255.255 |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT |
Optional. The port of a dedicated upstream proxy. | 3762 |
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME |
Optional. The username of a dedicated upstream proxy. | ProxyUserName |
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION |
MSSQL data store (database) connection string used to established a connection with the database. | <DB_CONNECT_STRING> |
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD |
LDAP server/service password for establishing connection. Note: Relevant when "ManualOnboard" is
indicated for
'
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE. |
<LDAP_PASSWORD> |
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD |
SMTP mail server/service password for establishing connection. | <SMTP_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD |
Optional. The password of a dedicated upstream proxy. | <PROXY_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID |
Optional. The OpenIdConnect (OIDC) client ID used to
establish a connection with the OIDC server.
|
|
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY |
Optional. The OIDC authority base URL to use when
making OpenIdConnect (OIDC) calls.
|
|
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET |
The OpenIdConnect (OIDC) client secret used to establish a connection with the OIDC server. | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64 |
Base64 encoded certificate for configuring OIDC. | |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS |
Domain(s) used for OIDC. | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64 |
Certificate associated with SMTP. | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64 |
Certificate associated with LDAP. | |
CK_CUSTOMER_CA_CERTIFICATES_ENABLED |
Enable certificate customization as specified in certificate parameters. | true
|
SCA_CSI_STORAGE_CLASS_NAME |
The K8S storage driver class name | |
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
The K8S shared storage designated size, to be calculated before installation | |
SCA_CSI_STORAGE_ACCESS_MODE |
The K8S storage driver access mode | |
SCA_CSI_STORAGE_VOLUME_NAME |
Optional. The K8S predefined persistent volume to be used with the PVC. If empty, it is auto-generated. | |
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE |
SCA engine database connection string. Note: Microsoft SQL Server must be
installed. Escape commas using backslash
(\) if necessary. |
|
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB |
Aggregation database connection string. | |
SCA_AUTOUPDATER_REGISTRY_ADDRESS |
Optional. This variable is needed if the only registry is other than the HCL AutoUpdater registry. |
hclcr.io |
SCA_AUTOUPDATER_REGISTRY_PATH |
Optional. This variable is needed only if the registry and path is different from the default. | |
SCA_AUTOUPDATER_HELM_PATH |
Optional. This variable is needed only if the Helm repo path is different from the default. | |
SCA_AUTOUPDATER_REGISTRY_USERNAME |
Optional. The username of the registry to be used by the SCA AutoUpdater. | |
SCA_AUTOUPDATER_REGISTRY_PASSWORD |
Optional. The password of the registry to be used by the SCA AutoUpdater. |
Configuring self-signed certificates
If your environment uses custom self-signed certificates for SSO (using Okta or Keycloak, for example) or LDAP (using Active Directory or Domino LDAP, for example), you must configure these certificates during installation. If you are using trusted primary certificates, you do not need to perform these steps.
To configure self-signed certificates for a distributed installation:
- In the installation properties
file(
singular-singular.clusterKit.properties), specify the certificate asbase64-value.- For SSO authentication:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true' - For LDAP
authentication:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true'
- For SSO authentication:
- If you are configuring SSO, specify the external domain to allow AppScan 360° to connect to your Okta or Keycloak tenant. For
example:
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS='xxxxx.demo.com,XXXXX.abc.com'
To configure self-signed certificates for a Helm installation:
- Update your properties file
(
singular-singular.clusterKit.yaml) with the customer CA certificate settings.# # Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments # global: customer: certificate: ca: # CUSTOMIZE_ME: # Indication whether to use customer given CA certificates, or not enabled: true secret: data: # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing LDAPs based service(s) caCrtForLDAPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing SMTPs based service(s) caCrtForSMTPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing OIDCs based service(s) caCrtForOIDCsAsBase64: ' ' - Specify the certificate in the properties file.
- Set
enabledtotrue. - For SSO, specify the certificate at
caCrtForOIDCsAsBase64. - For LDAP, specify the certificate at
caCrtForLDAPsAsBase64
- Set
To configure self-signed certificates for a single VM installation:
- Place the self-signed certificate in the certificate folder (SSO or LDAP, as appropriate).
- At step 8f of the custom single VM installation procedure, specify the external domain to allow AppScan 360° to connect to your SSO or LDAP provider.
Sample singular-singular.clusterKit.properties
#
## Docker Registry info
#
CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'
#
## Network info
#
CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'
#
## Storage info
#
CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'
#
## Ingress info
#
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'
#
## Customer certificate info
#
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64=' '
#
## Configuration/Disclosed info
#
CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'
#
## Configuration/Confidential info
#
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''
#
## OIDC Configuration and Certificates
#
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID=''
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY=''
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATES_ENABLED=''
#
## SCA Configuration
#
SCA_CSI_STORAGE_CLASS_NAME=''
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY=''
SCA_CSI_STORAGE_ACCESS_MODE=''
SCA_CSI_STORAGE_VOLUME_NAME=''
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE=''
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB=''
#
## SCA Auto Updater Configuration
#
SCA_AUTOUPDATER_REGISTRY_ADDRESS=''
SCA_AUTOUPDATER_REGISTRY_PATH=''
SCA_AUTOUPDATER_HELM_PATH=''
SCA_AUTOUPDATER_REGISTRY_USERNAME=''
SCA_AUTOUPDATER_REGISTRY_PASSWORD=''
#
## Registry Contexts Customization
#
CK_DOCKER_REGISTRY_CONTEXT=''
CK_HELM_REPOSITORY_CONTEXT=''
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS=''
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS=''
#
## Namespace Customization
#
CK_K8S_ASCP_NAMESPACE=''
CK_K8S_ASRA_NAMESPACE=''
NAMESPACE=''
Sample singular-singular.clusterKit.yaml
# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
customer:
certificate:
ca:
# CUSTOMIZE_ME:
# Indication whether to use customer given CA certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing LDAPs based service(s)
caCrtForLDAPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing SMTPs based service(s)
caCrtForSMTPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing OIDCs based service(s)
caCrtForOIDCsAsBase64: ''
ingress:
# CUSTOMIZE_ME:
# Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
caCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsKeyAsBase64: ''
storage:
pvc:
linux:
enabled: true
# The customer's K8S storage driver access mode
# NOTE: Set on 'ReadWriteMany' and should not be changed
accessMode: ReadWriteMany
# CUSTOMIZE_ME:
# The customer's K8S storage driver class name
# NOTE: The CSI driver must support 'ReadWriteMany' access mode
# storageClassName: freenas-nfs-csi
storageClassName: longhorn
# CUSTOMIZE_ME:
# The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
# NOTES:
# 1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
# 2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
# 3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
# 3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
# 3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
volumeName: null
# CUSTOMIZE_ME:
# The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
requestedCapacity: 50Gi
accessMode: ReadWriteMany # SCA
requestedCapacity: 10Gi # SCA
storageClassName: manual # SCA
volumeName: ‘’ # SCA
ca:
seed:
enabled: true
issuer:
name: appscan-seed-ca-clusterissuer
kind: ClusterIssuer
root:
secret:
data:
# Auto generated root CA certificate
tlsCrtAsBase64: null
# Auto generated root CA private key
tlsKeyAsBase64: null
certificate:
name: appscan-root-ca-cert
duration: 26280h0m0s # 3 years
renewBefore: 8760h0m0s # 1 year
ingress:
controller:
capabilities:
# CUSTOMIZE_ME:
# Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
isHttpsBackendProtocolSupported: true
internal:
# CUSTOMIZE_ME:
# The ingress class name to be used when deploying ingresses into the customer's K8S cluster
class: nginx
host:
# CUSTOMIZE_ME:
# The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
domain: appscan.com
# CUSTOMIZE_ME:
# The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
subDomain: as360
network:
# CUSTOMIZE_ME:
# The customer's designated (main) domain name
domainSuffix: appscan.com
configuration:
disclosed:
# CUSTOMIZE_ME:
# AS360 frontend URL (of the UI)
# NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
siteUrl: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service domain
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. This is a key setting, IFF set, it will override the UI related settings (alongside with all the other LDAP related settings below)
ldapDomain: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service user name (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapUsername: ''
# CUSTOMIZE_ME:
# The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
ldapAuthorizedGroups: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Valid values are 'True' or 'False'
ldapSsl: ''
# CUSTOMIZE_ME:
# The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
ldapTargetOU: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service host name
mailSmtpHost: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service port
mailSmtpPort: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service user name (for establishing connection)
mailSmtpUserName: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
# NOTE: Valid values are 'True' or 'False'
mailSmtpEnableSsl: ''
# CUSTOMIZE_ME:
# Define your method for onboarding new users:
# AutoOnboard: Any user with access to the server can log in to AppScan 360°.
# GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
# ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
externalIDPMode: 'AutoOnboard'
# CUSTOMIZE_ME:
# The customer's comma delimited external domains to allow access to, particularly crucial for establishing communication with OpenID Connect (OIDC) servers
externalDomains: ''
# CUSTOMIZE_ME:
# Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
# holding the customer's upstream proxy settings (for establishing connection), if applicable.
# NOTE: Currently there is NO support using a script to configure the upstream proxy settings
# The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyHost: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyPort: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyUsername: ''
# CUSTOMIZE_ME:
# The customer's designated K8S ASRA namespace to be used for AS360 installation
# NOTE: This field is optional, If left empty, a factory default will be used
k8sAsraNamespace: 'hcl-appscan-asra'
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client ID (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientId: ''
# CUSTOMIZE_ME:
# The customer's OIDC authority base URL to use when making OpenIdConnect (OIDC) calls
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcAuthority: ''
confidential:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
defaultConnection: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service password (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapPassword: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service password (for establishing connection)
mailSmtpPassword: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
upstreamProxyPassword: ''
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client secret (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientSecret: ''
#
# Below entries are not required for ASOP/AS360
#
opsConsoleDPKey: ''
licenseApiKey: ''
githubClientSecret: ''
common:
ingress:
enabled: false
service:
enabled: false
helmHooks:
rbacBaseName: helm-hooks-rbac
ascp-user-portal-ui:
enabled: true
ascp-domain-challenger:
enabled: true
ascp-egress-gatekeeper:
enabled: true
ascp-mr-tasks-manager:
enabled: true
ascp-mr-user-api:
enabled: true
ascp-mr-scanners-api:
enabled: true
ascp-mr-presence-api:
enabled: true
ascp-mr-iast-api:
enabled: true
scaenginefetchcve:
common:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,)
scaservicesecrets:
ConnectionStrings__ScaAggregationDB: ''
scaenginescanmonitorapi:
common:
scaservicesecrets:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,).
ConnectionStrings__ScaEngineDatabase: ''