準備配置檔
設定 AppScan 360° 環境後,在安裝之前,請準備配置檔 singular-singular.clusterKit.properties 或 singular-singular.clusterKit.yaml。這個檔案是供 AppScan 360° 中央平台和 AppScan 補救諮詢 安裝檔案在安裝過程中參照使用。
若要準備配置檔:
- 在您選擇的文字編輯器中建立新檔案。
- 如下表所述,使用適當參數填入檔案。註: 您可以提供伺服器憑證做為自訂檔案的一部分,以當作服務進入點輸入憑證來使用。若使用此憑證,應以 PEM 結構化憑證的形式提供,如下所示:
*.crt或*.cer檔案中的公開金鑰*.key檔案中的私密金鑰
- 依照您的安裝方法將檔案命名為
singular-singular.clusterKit.properties或singular-singular.clusterKit.yaml,然後將其儲存至您已儲存或打算儲存安裝套件的資料夾。註: 在安裝程序中,自解壓縮安裝檔案必須能找到這個檔案。
配置注意事項
您可以提供伺服器憑證做為自訂檔案的一部分,以當作服務進入點輸入憑證來使用。若使用此憑證,應以 PEM 結構化憑證的形式提供,如下所示:
*.crt或*.cer檔案中的公開金鑰*.key檔案中的私密金鑰
配置參數
註: 以引號括住所有參數值。
提示: 按一下此頁面右上角的向右箭頭 (>) 以展開表格內容。
| 參數 | 說明 | 範例值 |
|---|---|---|
CK_DOCKER_REGISTRY_ADDRESS |
Docker 映像檔登錄位址 (FQDN),可能具有以冒號分隔的埠 | pi-dpr-lin.appscan.com |
CK_DOCKER_REGISTRY_USERNAME |
Docker 映像檔登錄使用者名稱 | |
CK_DOCKER_REGISTRY_PASSWORD |
Docker 映像檔登錄密碼 | |
CK_CNI_NETWORK_DOMAIN_SUFFIX |
指定的網域服務名稱 | appscan.com |
CK_CSI_STORAGE_CLASS_NAME |
Kubernetes 儲存驅動程式類別名稱 | longhorn |
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME |
Kubernetes 預先定義的 PV(持續性磁碟區),搭配自動產生 PVC(持續性磁碟區宣告)用於共用檔案系統。 註:
|
|
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
Kubernetes 共用儲存空間指定大小,安裝前需先依照 中所述的計算邏輯進行計算。 | 100Gi |
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED |
表示輸入控制器是以 NGINX 為基礎,或是以輸入控制器支援(非透過註釋,而是由控制器本身支援)的 SSL onload(HTTPS 後端通訊協定)為基礎。 | false |
CK_INGRESS_INTERNAL_CLASS |
將輸入部署至 Kubernetes 叢集時要使用的輸入類別名稱。 | nginx |
CK_INGRESS_INTERNAL_HOST_DOMAIN |
將輸入部署至 Kubernetes 叢集以建置主機名稱時要使用的網域。 註: 若留空,則會從
CK_CNI_NETWORK_DOMAIN_SUFFIX 取得 |
appscan.com |
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN |
將輸入部署至 Kubernetes 叢集以建置主機名稱時要使用的子網域。 | expo.ascp |
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED |
指出是否使用指定的憑證做為適用的外部(叢集外)微服務輸入憑證。 註: 提供伺服器憑證做為自訂檔案的一部分,以用作服務進入點輸入憑證,或提供憑證做為 PEM 結構化憑證,如下所示:
|
false |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 |
提供憑證的憑證管理中心 (CA) 簽署憑證,做為適用的外部(叢集外)微服務輸入憑證來使用。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 |
提供用於適用外部(叢集外)微服務輸入憑證的憑證公開金鑰。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 |
提供用於適用外部(叢集外)微服務輸入憑證的憑證私密金鑰。 | <BASE64_ENCODED_VALUE> |
CK_CONFIGURATION_DISCLOSED_SITE_URL |
AppScan 360° 前端 URL。 註: 請勿在 URL 中包含正斜線 (/)。 |
https://expo.ascp.appscan.com |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE |
定義加入新使用者的方法:
|
AutoOnboard |
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN |
LDAP 伺服器/服務網域。 重要: 從 AppScan 360° 1.1.0 版或更早版本升級時,LDAP 配置無法直接沿用。安裝前,您必須確認所有 LDAP 參數均符合 AppScan 360° 目前或更新後的要求。 |
appscan.il |
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME |
用於建立連線的 LDAP 伺服器/服務使用者名稱。 註: 為 CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 選取 'ManualOnboard' 時的相關情況。 |
<LDAP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS |
客戶獲授權存取的 LDAP 群組清單(以逗號分隔) AppScan 360° 註: 為
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定 "GroupsAccess" 時的相關情況。 |
|
CK_CONFIGURATION_DISCLOSED_LDAP_SSL |
指出是否向 LDAP 伺服器或服務建立安全連線(透過 SSL/TLS)。 | false |
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU |
AD (Active Directory) 中使用者在 LDAP 查詢的指定位置。用於在登入 AppScan 360° 時鑑別 AD 使用者。 | Users,DC=appscan,DC=com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST |
SMTP 郵件伺服器/服務主機名稱。 | wfilsus.israel.ottawa.watchfire.com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT |
SMTP 郵件伺服器/服務埠。 | 25 |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME |
用於建立連線的 SMTP 郵件伺服器/服務使用者名稱。 | <SMTP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL |
指出是否向 SMTP 郵件伺服器或服務建立安全連線(透過 SSL/TLS)。 | false |
|
|
選用。專用上游 Proxy 的主機名稱。 |
10.255.255.255 |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT |
選用。專用上游 Proxy 的埠。 | 3762 |
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME |
選用。專用上游 Proxy 的使用者名稱。 | ProxyUserName |
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION |
MSSQL 資料儲存庫(資料庫)連線字串,用於建立與資料庫的連線。 | <DB_CONNECT_STRING> |
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD |
用於建立連線的 LDAP 伺服器/服務密碼。 註: 為
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定 "ManualOnboard" 時的相關情況。 |
<LDAP_PASSWORD> |
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD |
用於建立連線的 SMTP 郵件伺服器/服務密碼。 | <SMTP_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD |
選用。專用上游 Proxy 的密碼。 | <PROXY_PASSWORD> |
範例singular-singular.clusterKit.properties
#
## Docker Registry info
#
CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'
#
## Network info
#
CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'
#
## Storage info
#
CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'
#
## Ingress info
#
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'
#
## Customer certificate info
#
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64=' '
#
## Configuration/Disclosed info
#
CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'
#
## Configuration/Confidential info
#
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''
範例singular-singular.clusterKit.yaml
# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
# customer:
# certificate:
# ingress:
# # CUSTOMIZE_ME:
# # Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
# enabled: false
# secret:
# data:
# # CUSTOMIZE_ME:
# # The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# caCrtAsBase64: ''
# # CUSTOMIZE_ME:
# # The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# tlsCrtAsBase64: ''
# # CUSTOMIZE_ME:
# # The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
# tlsKeyAsBase64: ''
workload:
dockerPrivateRegistry:
secret:
enabled: true
name: ascp-docker-registry-secret
data:
# Auto generated Docker private registry user credentials configuration
jsonConfigAsBase64: ""
storage:
pvc:
linux:
enabled: true
# The customer's K8S storage driver access mode
# NOTE: Set on 'ReadWriteMany' and should not be changed
accessMode: ReadWriteMany
# CUSTOMIZE_ME:
# The customer's K8S storage driver class name
# NOTE: The CSI driver must support 'ReadWriteMany' access mode
# storageClassName: freenas-nfs-csi
storageClassName: longhorn
# CUSTOMIZE_ME:
# The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
# NOTES:
# 1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
# 2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
# 3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
# 3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
# 3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
volumeName: null
# CUSTOMIZE_ME:
# The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
requestedCapacity: 50Gi
ca:
seed:
enabled: true
issuer:
name: appscan-seed-ca-clusterissuer
kind: ClusterIssuer
root:
secret:
data:
# Auto generated root CA certificate
tlsCrtAsBase64: null
# Auto generated root CA private key
tlsKeyAsBase64: null
certificate:
name: appscan-root-ca-cert
duration: 26280h0m0s # 3 years
renewBefore: 8760h0m0s # 1 year
# ingress:
# controller:
# capabilities:
# # CUSTOMIZE_ME:
# # Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
# isHttpsBackendProtocolSupported: true
# internal:
# # CUSTOMIZE_ME:
# # The ingress class name to be used when deploying ingresses into the customer's K8S cluster
# class: nginx
# host:
# # CUSTOMIZE_ME:
# # The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# # NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
# domain: appscan.com
# # CUSTOMIZE_ME:
# # The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# subDomain: as360
network:
# CUSTOMIZE_ME:
# The customer's designated (main) domain name
domainSuffix: appscan.com
configuration:
disclosed:
# CUSTOMIZE_ME:
# AS360 frontend URL (of the UI)
# NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
siteUrl: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service domain
ldapDomain: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service user name (for establishing connection)
# NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapUsername: ''
# CUSTOMIZE_ME:
# The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
# NOTE: Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
ldapAuthorizedGroups: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
# NOTE: Valid values are 'True' or 'False'
ldapSsl: ''
# CUSTOMIZE_ME:
# The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
ldapTargetOU: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service host name
mailSmtpHost: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service port
mailSmtpPort: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service user name (for establishing connection)
mailSmtpUserName: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
# NOTE: Valid values are 'True' or 'False'
mailSmtpEnableSsl: ''
# CUSTOMIZE_ME:
# Define your method for onboarding new users:
# AutoOnboard: Any user with access to the server can log in to AppScan 360°.
# GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
# ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
externalIDPMode: ''
# CUSTOMIZE_ME:
# Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
# holding the customer's upstream proxy settings (for establishing connection), if applicable.
# NOTES:
# 1. Currently there is NO support using a script to configure the upstream proxy settings
# The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyHost: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyPort: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyUsername: ''
confidential:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
defaultConnection: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service password (for establishing connection)
# NOTE: Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapPassword: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service password (for establishing connection)
mailSmtpPassword: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
upstreamProxyPassword: ''
#
# Below entries are not required for ASOP/AS360
#
opsConsoleDPKey : ''
oktaClientSecret: ''
oktaApiToken: ''
licenseApiKey: ''
githubClientSecret: ''
common:
ingress:
enabled: false
service:
enabled: false
helmHooks:
rbacBaseName: helm-hooks-rbac
ascp-user-portal-ui:
enabled: true
ascp-domain-challenger:
enabled: true
ascp-egress-gatekeeper:
enabled: true
ascp-mr-tasks-manager:
enabled: true
ascp-mr-user-api:
enabled: true
ascp-mr-scanners-api:
enabled: true
ascp-mr-presence-api:
enabled: true