准备配置文件
设置 AppScan 360° 环境后,请在进行安装之前准备配置文件 singular-singular.clusterKit.properties 或 singular-singular.clusterKit.yaml。这是安装过程中 AppScan 360° Central Platform 和 AppScan Remediation Advisories 安装文件所参考的文件。
要准备配置文件,请执行以下操作:
- 在您所选的文本编辑器中创建新文件。
- 按照下表中的说明使用适当的参数填充文件。注: 在自定义文件中提供服务器证书,以用作服务入口点的入口证书。如果使用该证书,则应该按 PEM 结构化证书的形式提供它,如下所示:
*.crt或*.cer文件中的公钥*.key文件中的专用密钥
- 根据您的安装方法,将该文件命名为
singular-singular.clusterKit.properties或singular-singular.clusterKit.yaml,然后将其保存到已保存或打算保存安装包的文件夹中。注: 自解压安装文件必须能够在安装过程中找到此文件。
配置说明
在自定义文件中提供服务器证书,以用作服务入口点的入口证书。如果使用该证书,则应该按 PEM 结构化证书的形式提供它,如下所示:
*.crt或*.cer文件中的公钥*.key文件中的专用密钥
配置参数
注: 用引号将所有参数值引起来。
提示: 单击此页面右上方的向右箭头 (>) 以展开表内容。
| 参数 | 描述 | 示例值 |
|---|---|---|
CK_DOCKER_REGISTRY_ADDRESS |
Docker 映像注册表地址 (FQDN),可能带有端口,由冒号分隔 | pi-dpr-lin.appscan.com |
CK_DOCKER_REGISTRY_USERNAME |
Docker 映像注册表用户名 | |
CK_DOCKER_REGISTRY_PASSWORD |
Docker 映像注册表密码 | |
CK_CNI_NETWORK_DOMAIN_SUFFIX |
指定的域服务名称 | appscan.com |
CK_CSI_STORAGE_CLASS_NAME |
Kubernetes 存储驱动程序类名 | longhorn |
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME |
要和共享文件系统的自动生成 PVC(持久卷声明)一起使用的 Kubernetes 预定义 PV(持久卷)。 注:
|
|
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
Kubernetes 共享存储指定大小,需要在安装前进行计算,并遵循如下所述的计算逻辑: | 100Gi |
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED |
指示入口控制器基于 NGINX,还是入口控制器支持 SSL onload(HTTPS 后端协议)(并非通过注释,而是通过控制器本身)。 | false |
CK_INGRESS_INTERNAL_CLASS |
将入口部署到 Kubernetes 集群时要使用的入口类名。 | nginx |
CK_INGRESS_INTERNAL_HOST_DOMAIN |
将入口部署到 Kubernetes 集群时要用于构建主机名的域。 注: 如果留空,系统将从
CK_CNI_NETWORK_DOMAIN_SUFFIX 中获取该域。 |
appscan.com |
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN |
将入口部署到 Kubernetes 集群时要用于构建主机名的子域。 | expo.ascp |
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED |
指示是否将给定证书用作适用的外部(集群外)微服务入口证书。 注: 将服务器证书作为自定义文件的一部分提供,以用作服务入口点入口证书,或者按 PEM 结构化证书的形式提供该证书,如下所示:
|
false |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 |
提供证书的证书颁发机构 (CA) 签名证书,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 |
提供证书的公钥,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 |
提供证书的私钥,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CONFIGURATION_DISCLOSED_SITE_URL |
AppScan 360° 前端 URL。 注: 请不要在 URL 中添加结尾正斜杠 (/)。 |
https://expo.ascp.appscan.com |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE |
定义加入新用户的方法:
|
AutoOnboard |
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN |
LDAP 服务器/服务域。 重要: 从 AppScan 360° V1.1.0 或更低版本升级时,无法直接重用 LDAP 配置。在安装之前,您必须验证所有 LDAP 参数是否都满足当前/更新的 AppScan 360° 要求。 |
appscan.il |
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME |
用于建立连接的 LDAP 服务器/服务用户名。 注: 为 CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 选择了“ManualOnboard”时相关。 |
<LDAP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS |
客户有权访问的 LDAP 组的列表(逗号分隔) AppScan 360° 注: 为
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定了“GroupsAccess”时相关。 |
|
CK_CONFIGURATION_DISCLOSED_LDAP_SSL |
指示是否与 LDAP 服务器/服务建立安全连接(通过 SSL/TLS)。 | false |
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU |
用于 LDAP 查询的 AD (Active Directory) 中用户的指定位置。用于在登录 AppScan 360° 期间对 AD 用户进行认证。 | Users,DC=appscan,DC=com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST |
SMTP 邮件服务器/服务主机名。 | wfilsus.israel.ottawa.watchfire.com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT |
SMTP 邮件服务器/服务端口。 | 25 |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME |
用于建立连接的 SMTP 邮件服务器/服务用户名。 | <SMTP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL |
指示是否与 SMTP 邮件服务器/服务建立安全连接(通过 SSL/TLS)。 | false |
|
|
可选。专用上游代理的主机名。 |
10.255.255.255 |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT |
可选。专用上游代理的端口。 | 3762 |
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME |
可选。专用上游代理的用户名。 | ProxyUserName |
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION |
用于和数据库建立连接的 MSSQL 数据存储器(数据库)连接字符串。 | <DB_CONNECT_STRING> |
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD |
用于建立连接的 LDAP 服务器/服务密码。 注: 为
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定了“ManualOnboard”时相关。 |
<LDAP_PASSWORD> |
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD |
用于建立连接的 SMTP 邮件服务器/服务密码。 | <SMTP_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD |
可选。专用上游代理的密码。 | <PROXY_PASSWORD> |
样本 singular-singular.clusterKit.properties
#
## Docker Registry info
#
CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'
#
## Network info
#
CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'
#
## Storage info
#
CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'
#
## Ingress info
#
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'
#
## Customer certificate info
#
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64=' '
#
## Configuration/Disclosed info
#
CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'
#
## Configuration/Confidential info
#
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''
样本 singular-singular.clusterKit.yaml
# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
# customer:
# certificate:
# ingress:
# # CUSTOMIZE_ME:
# # Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
# enabled: false
# secret:
# data:
# # CUSTOMIZE_ME:
# # The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# caCrtAsBase64: ''
# # CUSTOMIZE_ME:
# # The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# tlsCrtAsBase64: ''
# # CUSTOMIZE_ME:
# # The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# tlsKeyAsBase64: ''
workload:
dockerPrivateRegistry:
secret:
enabled: true
name: ascp-docker-registry-secret
data:
# Auto generated Docker private registry user credentials configuration
jsonConfigAsBase64: ""
storage:
pvc:
linux:
enabled: true
# The customer's K8S storage driver access mode
# NOTE: Set on 'ReadWriteMany' and should not be changed
accessMode: ReadWriteMany
# CUSTOMIZE_ME:
# The customer's K8S storage driver class name
# NOTE: The CSI driver must support 'ReadWriteMany' access mode
# storageClassName: freenas-nfs-csi
storageClassName: longhorn
# CUSTOMIZE_ME:
# The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
# NOTES:
# 1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
# 2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
# 3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
# 3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
# 3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
volumeName: null
# CUSTOMIZE_ME:
# The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
requestedCapacity: 50Gi
ca:
seed:
enabled: true
issuer:
name: appscan-seed-ca-clusterissuer
kind: ClusterIssuer
root:
secret:
data:
# Auto generated root CA certificate
tlsCrtAsBase64: null
# Auto generated root CA private key
tlsKeyAsBase64: null
certificate:
name: appscan-root-ca-cert
duration: 26280h0m0s # 3 years
renewBefore: 8760h0m0s # 1 year
# ingress:
# controller:
# capabilities:
# # CUSTOMIZE_ME:
# # Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
# isHttpsBackendProtocolSupported: true
# internal:
# # CUSTOMIZE_ME:
# # The ingress class name to be used when deploying ingresses into the customer's K8S cluster
# class: nginx
# host:
# # CUSTOMIZE_ME:
# # The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# # NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
# domain: appscan.com
# # CUSTOMIZE_ME:
# # The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# subDomain: as360
network:
# CUSTOMIZE_ME:
# The customer's designated (main) domain name
domainSuffix: appscan.com
configuration:
disclosed:
# CUSTOMIZE_ME:
# AS360 frontend URL (of the UI)
# NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
siteUrl: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service domain
ldapDomain: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service user name (for establishing connection)
# NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapUsername: ''
# CUSTOMIZE_ME:
# The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
# NOTE: Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
ldapAuthorizedGroups: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
# NOTE: Valid values are 'True' or 'False'
ldapSsl: ''
# CUSTOMIZE_ME:
# The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
ldapTargetOU: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service host name
mailSmtpHost: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service port
mailSmtpPort: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service user name (for establishing connection)
mailSmtpUserName: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
# NOTE: Valid values are 'True' or 'False'
mailSmtpEnableSsl: ''
# CUSTOMIZE_ME:
# Define your method for onboarding new users:
# AutoOnboard: Any user with access to the server can log in to AppScan 360°.
# GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
# ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
externalIDPMode: ''
# CUSTOMIZE_ME:
# Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
# holding the customer's upstream proxy settings (for establishing connection), if applicable.
# NOTES:
# 1. Currently there is NO support using a script to configure the upstream proxy settings
# The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyHost: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyPort: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyUsername: ''
confidential:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
defaultConnection: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service password (for establishing connection)
# NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapPassword: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service password (for establishing connection)
mailSmtpPassword: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
upstreamProxyPassword: ''
#
# Below entries are not required for ASOP/AS360
#
opsConsoleDPKey : ''
oktaClientSecret: ''
oktaApiToken: ''
licenseApiKey: ''
githubClientSecret: ''
common:
ingress:
enabled: false
service:
enabled: false
helmHooks:
rbacBaseName: helm-hooks-rbac
ascp-user-portal-ui:
enabled: true
ascp-domain-challenger:
enabled: true
ascp-egress-gatekeeper:
enabled: true
ascp-mr-tasks-manager:
enabled: true
ascp-mr-user-api:
enabled: true
ascp-mr-scanners-api:
enabled: true
ascp-mr-presence-api:
enabled: true