Scanning sites that use client certificates
ASoC does not currently offer a way to configure a client certificate from the user interface or API, but you can use AppScan Standard 10.0.8 (or later) to do this.
However, there is limitation. When you save a scan template (SCANT
file) in AppScan Standard, the certificate is not saved in
the template. Refer to the following procedures to scan sites that use client
certificates.
- Configure the scan, including the client certificate, in AppScan Standard 10.0.8 (or later).
- In AppScan Standard, use the AppScan Connect feature to upload
the configuration to ASoC and run the scan.Note: The certificate is saved in the scan template only when you use AppScan Connect. It is not included if you save directly as a
SCANT
file.
- In AppScan Standard, use AppScan Connect to download the
SCANT
file from ASoC (described above). - Open the scan in AppScan Standard and save as a
SCANT
file.The client certificate is included in the file.
- Use the ASoC
FileUpload
API to upload theSCANT
file and get a file ID. - Use this ID to create the DAST scan using the
DynamicAnalyzerWithFile
API.
Client certificates for private sites
Before a scan starts, the AppScan Presence verifies that it can access the scan's starting URL. If it is unable to do so, the scan fails immediately.
When a client certificate is required for a private site, the Presence cannot connect to the tested site because it does not have the client certificate. Resolve this is by directing the Presence to run the scan even though it cannot reach the web application being scanned.
- In the root folder of the Presence, locate
appsettings.json
and open it with a text editor. - Set:
"StartingUrlTestNotFailing": true,