准备配置文件
设置 AppScan 360° 环境后,请在安装之前准备配置文件 singular-singular.clusterKit.properties 或 singular-singular.clusterKit.yaml。这是安装过程中 AppScan 360° Central Platform、AppScan Remediation Advisories 及软件组成分析 (SCA) 安装文件所参考的文件。
要准备配置文件,请执行以下操作:
- 在您所选的文本编辑器中创建新文件。
- 按照下表中的说明使用适当的参数填充文件。注: 在自定义文件中提供服务器证书,以用作服务入口点的入口证书。如果使用该证书,则应该按 PEM 结构化证书的形式提供它,如下所示:
*.crt或*.cer文件中的公钥*.key文件中的专用密钥
- 根据您的安装方法,将该文件命名为
singular-singular.clusterKit.properties或singular-singular.clusterKit.yaml,然后将其保存到已保存或打算保存安装包的文件夹中。注: 自解压安装文件必须能够在安装过程中找到此文件。 - 配置自签名证书(如适用)。
配置说明
在自定义文件中提供服务器证书,以用作服务入口点的入口证书。如果使用该证书,则应该按 PEM 结构化证书的形式提供它,如下所示:
*.crt或*.cer文件中的公钥*.key文件中的专用密钥
配置参数
注: 用引号将所有参数值引起来。
提示: 单击此页面右上方的向右箭头 (>) 以展开表内容。
| 参数 | 描述 | 示例值 |
|---|---|---|
CK_DOCKER_REGISTRY_ADDRESS |
Docker 映像注册表地址 (FQDN),可能带有端口,由冒号分隔。 | pi-dpr-lin.appscan.com |
CK_DOCKER_REGISTRY_USERNAME |
Docker 映像注册表用户名。 | |
CK_DOCKER_REGISTRY_PASSWORD |
Docker 映像注册表密码。 | |
CK_DOCKER_REGISTRY_CONTEXT |
Docker 注册表上下文。设置为空字符串以推送至根,或者在不适用的情况下将其删除。 | |
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS |
用于附加组件的 Docker 注册表上下文。设置为空字符串以推送至根,或者在不适用的情况下将其删除。可以设置为与 CK_DOCKER_REGISTRY_CONTEXT 相同的值,以保持一致性。 |
|
CK_HELM_REPOSITORY_CONTEXT |
Helm 存储库上下文。设置为空字符串以推送至根,或者在不适用的情况下将其删除。 | |
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS |
用于附加组件的 Helm 存储库上下文。设置为空字符串以推送至根,或者在不适用的情况下将其删除。可以设置为与 CK_HELM_REPOSITORY_CONTEXT 相同的值,以保持一致性。 |
|
CK_CNI_NETWORK_DOMAIN_SUFFIX |
指定的域服务名称 | appscan.com |
CK_CSI_STORAGE_CLASS_NAME |
Kubernetes 存储驱动程序类名 | longhorn |
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME |
要和共享文件系统的自动生成 PVC(持久卷声明)一起使用的 Kubernetes 预定义 PV(持久卷)。 注:
|
|
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
Kubernetes 共享存储的指定大小,需要在安装前计算完毕。 | 100Gi |
CK_K8S_ASCP_NAMESPACE |
可选。平台组件的命名空间。 | |
CK_K8S_ASRA_NAMESPACE |
可选。ASRA 组件的命名空间。 | |
NAMESPACE |
SCA 安装的通用命名空间覆盖。 | |
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED |
指示入口控制器基于 NGINX,还是入口控制器支持 SSL onload(HTTPS 后端协议)(并非通过注释,而是通过控制器本身)。 | false |
CK_INGRESS_INTERNAL_CLASS |
将入口部署到 Kubernetes 集群时要使用的入口类名。 | nginx |
CK_INGRESS_INTERNAL_HOST_DOMAIN |
将入口部署到 Kubernetes 集群时要用于构建主机名的域。 注: 如果留空,系统将从
CK_CNI_NETWORK_DOMAIN_SUFFIX 中获取该域。 |
appscan.com |
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN |
将入口部署到 Kubernetes 集群时要用于构建主机名的子域。 | expo.ascp |
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED |
指示是否将给定证书用作适用的外部(集群外)微服务入口证书。 注: 将服务器证书作为自定义文件的一部分提供,以用作服务入口点入口证书,或者按 PEM 结构化证书的形式提供该证书,如下所示:
|
false |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 |
提供证书的证书颁发机构 (CA) 签名证书,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 |
提供证书的公钥,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 |
提供证书的私钥,该证书用作适用的外部(集群外)微服务入口证书。 | <BASE64_ENCODED_VALUE> |
CK_CONFIGURATION_DISCLOSED_SITE_URL |
AppScan 360° 前端 URL。 注: 请不要在 URL 中添加结尾正斜杠 (/)。 |
https://expo.ascp.appscan.com |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE |
定义加入新用户的方法:
|
AutoOnboard |
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN |
LDAP 服务器/服务域。 重要: 从 AppScan 360° V1.1.0 或更低版本升级时,无法直接重用 LDAP 配置。在安装之前,您必须验证所有 LDAP 参数是否都满足当前/更新的 AppScan 360° 要求。 |
appscan.il |
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME |
用于建立连接的 LDAP 服务器/服务用户名。 注: 为 CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 选择了“ManualOnboard”时相关。 |
<LDAP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS |
客户有权访问的 LDAP 组的列表(逗号分隔) AppScan 360° 注: 为
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定了“GroupsAccess”时相关。 |
|
CK_CONFIGURATION_DISCLOSED_LDAP_SSL |
指示是否与 LDAP 服务器/服务建立安全连接(通过 SSL/TLS)。 | false |
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU |
用于 LDAP 查询的 AD (Active Directory) 中用户的指定位置。用于在登录 AppScan 360° 期间对 AD 用户进行认证。 | Users,DC=appscan,DC=com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST |
SMTP 邮件服务器/服务主机名。 | wfilsus.israel.ottawa.watchfire.com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT |
SMTP 邮件服务器/服务端口。 | 25 |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME |
用于建立连接的 SMTP 邮件服务器/服务用户名。 | <SMTP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL |
指示是否与 SMTP 邮件服务器/服务建立安全连接(通过 SSL/TLS)。 | false |
|
|
可选。专用上游代理的主机名。 |
10.255.255.255 |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT |
可选。专用上游代理的端口。 | 3762 |
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME |
可选。专用上游代理的用户名。 | ProxyUserName |
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION |
用于和数据库建立连接的 MSSQL 数据存储器(数据库)连接字符串。 | <DB_CONNECT_STRING> |
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD |
用于建立连接的 LDAP 服务器/服务密码。 注: 为
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定了“ManualOnboard”时相关。 |
<LDAP_PASSWORD> |
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD |
用于建立连接的 SMTP 邮件服务器/服务密码。 | <SMTP_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD |
可选。专用上游代理的密码。 | <PROXY_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID |
可选。用于和 OIDC 服务器建立连接的 OpenIdConnect (OIDC) 客户机标识。
|
|
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY |
可选。发起 OpenIdConnect (OIDC) 调用时要使用的 OIDC 认证中心基本 URL。
|
|
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET |
用于和 OIDC 服务器建立连接的 OpenIdConnect (OIDC) 客户机密钥。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64 |
用于配置 OIDC 的 Base64 编码证书。 | |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS |
用于 OIDC 的域。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64 |
与 SMTP 关联的证书。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64 |
与 LDAP 关联的证书。 | |
CK_CUSTOMER_CA_CERTIFICATES_ENABLED |
启用证书参数中指定的证书定制。 | true |
SCA_CSI_STORAGE_CLASS_NAME |
K8S 存储驱动程序类名 | |
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
K8S 共享存储的指定大小,需要在安装前计算完毕 | |
SCA_CSI_STORAGE_ACCESS_MODE |
K8S 存储驱动程序访问模式 | |
SCA_CSI_STORAGE_VOLUME_NAME |
可选。要与 PVC 一起使用的 K8S 预定义持久卷。如果为空,则它会自动生成。 | |
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE |
SCA 引擎数据库连接字符串。 注: 必须安装 Microsoft SQL Server。 如有必要,使用反斜杠 (\) 对逗号进行转义。 |
|
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB |
聚合数据库连接字符串。 | |
SCA_AUTOUPDATER_REGISTRY_ADDRESS |
可选。如果唯一的注册表不是 HCL AutoUpdater 注册表,则需要此变量。 |
hclcr.io |
SCA_AUTOUPDATER_REGISTRY_PATH |
可选。仅当注册表和路径与缺省值不同时,才需要此变量。 | |
SCA_AUTOUPDATER_HELM_PATH |
可选。仅当 Helm 存储库路径与缺省路径不同时,才需要此变量。 | |
SCA_AUTOUPDATER_REGISTRY_USERNAME |
可选。SCA AutoUpdater 要使用的注册表的用户名。 | |
SCA_AUTOUPDATER_REGISTRY_PASSWORD |
可选。SCA AutoUpdater 要使用的注册表的密码。 |
配置自签名证书
如果您的环境使用定制自签名证书进行 SSO(例如,使用 Okta 或 Keycloak)或 LDAP(例如,使用 Active Directory 或 Domino LDAP),则您必须在安装期间配置这些证书。如果您使用的是受信任的主证书,则不需要执行这些步骤。
要为分布式安装配置自签名证书,请执行以下操作:
- 在安装属性文件 (
singular-singular.clusterKit.properties) 中,将证书指定为base64-value。- 对于 SSO 认证:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true' - 对于 LDAP 认证:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true'
- 对于 SSO 认证:
- 如果您要配置 SSO,请指定外部域以允许 AppScan 360° 连接到 Okta 或 Keycloak 租户。例如:
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS='xxxxx.demo.com,XXXXX.abc.com'
要为 Helm 安装配置自签名证书,请执行以下操作:
- 使用客户 CA 证书设置更新属性文件 (
singular-singular.clusterKit.yaml)。# # Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments # global: customer: certificate: ca: # CUSTOMIZE_ME: # Indication whether to use customer given CA certificates, or not enabled: true secret: data: # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing LDAPs based service(s) caCrtForLDAPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing SMTPs based service(s) caCrtForSMTPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing OIDCs based service(s) caCrtForOIDCsAsBase64: ' ' - 在属性文件中指定证书。
- 将
enabled设置为true。 - 对于 SSO,请在
caCrtForOIDCsAsBase64处指定证书。 - 对于 LDAP,请在
caCrtForLDAPsAsBase64处指定证书
- 将
要为单个 VM 安装配置自签名证书,请执行以下操作:
- 将自签名证书放在证书文件夹中(SSO 或 LDAP,视情况而定)。
- 在定制单个 VM 安装过程的步骤 8f 中,指定外部域以允许 AppScan 360° 连接到您的 SSO 或 LDAP 提供程序。
样本 singular-singular.clusterKit.properties
#
## Docker Registry info
#
CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'
#
## Network info
#
CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'
#
## Storage info
#
CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'
#
## Ingress info
#
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'
#
## Customer certificate info
#
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64=' '
#
## Configuration/Disclosed info
#
CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'
#
## Configuration/Confidential info
#
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''
#
## OIDC Configuration and Certificates
#
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID=''
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY=''
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATES_ENABLED=''
#
## SCA Configuration
#
SCA_CSI_STORAGE_CLASS_NAME=''
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY=''
SCA_CSI_STORAGE_ACCESS_MODE=''
SCA_CSI_STORAGE_VOLUME_NAME=''
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE=''
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB=''
#
## SCA Auto Updater Configuration
#
SCA_AUTOUPDATER_REGISTRY_ADDRESS=''
SCA_AUTOUPDATER_REGISTRY_PATH=''
SCA_AUTOUPDATER_HELM_PATH=''
SCA_AUTOUPDATER_REGISTRY_USERNAME=''
SCA_AUTOUPDATER_REGISTRY_PASSWORD=''
#
## Registry Contexts Customization
#
CK_DOCKER_REGISTRY_CONTEXT=''
CK_HELM_REPOSITORY_CONTEXT=''
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS=''
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS=''
#
## Namespace Customization
#
CK_K8S_ASCP_NAMESPACE=''
CK_K8S_ASRA_NAMESPACE=''
NAMESPACE=''
样本 singular-singular.clusterKit.yaml
# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
customer:
certificate:
ca:
# CUSTOMIZE_ME:
# Indication whether to use customer given CA certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing LDAPs based service(s)
caCrtForLDAPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing SMTPs based service(s)
caCrtForSMTPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing OIDCs based service(s)
caCrtForOIDCsAsBase64: ''
ingress:
# CUSTOMIZE_ME:
# Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
caCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsKeyAsBase64: ''
storage:
pvc:
linux:
enabled: true
# The customer's K8S storage driver access mode
# NOTE: Set on 'ReadWriteMany' and should not be changed
accessMode: ReadWriteMany
# CUSTOMIZE_ME:
# The customer's K8S storage driver class name
# NOTE: The CSI driver must support 'ReadWriteMany' access mode
# storageClassName: freenas-nfs-csi
storageClassName: longhorn
# CUSTOMIZE_ME:
# The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
# NOTES:
# 1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
# 2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
# 3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
# 3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
# 3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
volumeName: null
# CUSTOMIZE_ME:
# The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
requestedCapacity: 50Gi
accessMode: ReadWriteMany # SCA
requestedCapacity: 10Gi # SCA
storageClassName: manual # SCA
volumeName: ‘’ # SCA
ca:
seed:
enabled: true
issuer:
name: appscan-seed-ca-clusterissuer
kind: ClusterIssuer
root:
secret:
data:
# Auto generated root CA certificate
tlsCrtAsBase64: null
# Auto generated root CA private key
tlsKeyAsBase64: null
certificate:
name: appscan-root-ca-cert
duration: 26280h0m0s # 3 years
renewBefore: 8760h0m0s # 1 year
ingress:
controller:
capabilities:
# CUSTOMIZE_ME:
# Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
isHttpsBackendProtocolSupported: true
internal:
# CUSTOMIZE_ME:
# The ingress class name to be used when deploying ingresses into the customer's K8S cluster
class: nginx
host:
# CUSTOMIZE_ME:
# The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
domain: appscan.com
# CUSTOMIZE_ME:
# The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
subDomain: as360
network:
# CUSTOMIZE_ME:
# The customer's designated (main) domain name
domainSuffix: appscan.com
configuration:
disclosed:
# CUSTOMIZE_ME:
# AS360 frontend URL (of the UI)
# NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
siteUrl: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service domain
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. This is a key setting, IFF set, it will override the UI related settings (alongside with all the other LDAP related settings below)
ldapDomain: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service user name (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapUsername: ''
# CUSTOMIZE_ME:
# The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
ldapAuthorizedGroups: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Valid values are 'True' or 'False'
ldapSsl: ''
# CUSTOMIZE_ME:
# The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
ldapTargetOU: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service host name
mailSmtpHost: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service port
mailSmtpPort: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service user name (for establishing connection)
mailSmtpUserName: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
# NOTE: Valid values are 'True' or 'False'
mailSmtpEnableSsl: ''
# CUSTOMIZE_ME:
# Define your method for onboarding new users:
# AutoOnboard: Any user with access to the server can log in to AppScan 360°.
# GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
# ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
externalIDPMode: 'AutoOnboard'
# CUSTOMIZE_ME:
# The customer's comma delimited external domains to allow access to, particularly crucial for establishing communication with OpenID Connect (OIDC) servers
externalDomains: ''
# CUSTOMIZE_ME:
# Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
# holding the customer's upstream proxy settings (for establishing connection), if applicable.
# NOTE: Currently there is NO support using a script to configure the upstream proxy settings
# The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyHost: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyPort: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyUsername: ''
# CUSTOMIZE_ME:
# The customer's designated K8S ASRA namespace to be used for AS360 installation
# NOTE: This field is optional, If left empty, a factory default will be used
k8sAsraNamespace: 'hcl-appscan-asra'
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client ID (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientId: ''
# CUSTOMIZE_ME:
# The customer's OIDC authority base URL to use when making OpenIdConnect (OIDC) calls
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcAuthority: ''
confidential:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
defaultConnection: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service password (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapPassword: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service password (for establishing connection)
mailSmtpPassword: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
upstreamProxyPassword: ''
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client secret (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientSecret: ''
#
# Below entries are not required for ASOP/AS360
#
opsConsoleDPKey: ''
licenseApiKey: ''
githubClientSecret: ''
common:
ingress:
enabled: false
service:
enabled: false
helmHooks:
rbacBaseName: helm-hooks-rbac
ascp-user-portal-ui:
enabled: true
ascp-domain-challenger:
enabled: true
ascp-egress-gatekeeper:
enabled: true
ascp-mr-tasks-manager:
enabled: true
ascp-mr-user-api:
enabled: true
ascp-mr-scanners-api:
enabled: true
ascp-mr-presence-api:
enabled: true
ascp-mr-iast-api:
enabled: true
scaenginefetchcve:
common:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,)
scaservicesecrets:
ConnectionStrings__ScaAggregationDB: ''
scaenginescanmonitorapi:
common:
scaservicesecrets:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,).
ConnectionStrings__ScaEngineDatabase: ''