Deploying a Java IAST agent
You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Java agent type on your web server.
Before you begin
The simplest and most effective way to use IAST is to deploy it as a
WAR
file servlet on your web server. When this is not possible, for example when running IAST on
a Quarkus framework, the IAST agent can be installed as a Java agent using a
JAR
file.Support: Only web application servers
running JRE/JDK 1.8 or higher are supported.
- If the server where IAST is running is behind a proxy:
- For a transparent proxy, use any one of the following Java properties when
running the server:
- Standard Java
properties:
-Dhttps.proxyHost={proxy_ip} -Dhttps.proxyPort={proxy_port}
- Custom Java
properties:
-DIast.proxyHost={proxy_ip} -DIast.proxyPort={proxy_port}
- Environment
variables:
IAST_PROXY_HOST={proxy_ip} IAST_PROXY_PORT={proxy_port}
- Standard Java
properties:
- If a certificate is needed to communicate externally (for example, to pass a
transparent proxy), supply a valid certificate and run the following command to
import it to the keystore:Note: If you have installed JRE with default settings, the keystore name is
cacerts
and it is protected by the passwordchangeit
. Otherwise, replace the-storepass
,-keystore
, and-file
values with your own.keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt
- For a transparent proxy, use any one of the following Java properties when
running the server:
- For IAST agent versions prior to 1.14.2, if both the compile-time and the runtime
Java versions are 9 or higher, add the following flag to the java run
command:
–Djava.lang.invoke.stringConcat=BC_SB
Procedure
- Download the ASoC Java IAST agent, as described here.
- Extract the contents of the ZIP file.
-
Deploy the IAST agent as either WAR servlet or JAR file:
Deploy as a WAR servlet:
- Locate
Secagent.war
in the root of the extracted ZIP file: - Follow the instructions for your server:
- Tomcat server / Jetty server: Copy Secagent.war to
your
webapps
folder, or deploy it as you would any other WAR servlet. - WebSphere server: Deploy Secagent.war as you would any
other WAR servlet. Note: Make sure to:
- Deploy the agent as a web application, not an enterprise application
- Select
/Secagent
as the context root
- WebSphere Liberty server / Open Liberty server: Copy
Secagent.war to your
dropins
folder, or deploy it as you would any other WAR servlet. - Jboss/WildFly server / JBoss EAP server: Copy Secagent.war to the deployments folder, or deploy it as you would any other WAR servlet.
- Weblogic: Deploy Secagent.war as you would any other WAR servlet.
- Tomcat server / Jetty server: Copy Secagent.war to
your
- To verify the deployment, open any browser and browse
to:
The Secagent page opens, showing that the agent has been loaded successfully. As you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually), the IAST Agent monitors requests as they are sent, and reports on security issues it finds.http://<server address>/Secagent
Use this deployment method when it is not possible to deploy the IAST agent as a WAR file. For example, when running IAST on a Quarkus framework. In this deployment method, the IAST agent will run as a Java agent.
- In the
jar_deployment
folder locatesecagent.jar
- Add the following flag to your app command
line:
-Djavaagent:<path to secagent.jar>
- To verify the deployment, check the
stdout
for messages starting with "[IAST Secagent]
".
- Locate
Running a Java agent with security manager
About this task
You can run the Java agent with security manager:
- As a war file on Tomcat or
- As a jar file on servers other than Tomcat. Contact the AppScan support team for guidance.
To run the Java agent with security manager as war on Tomcat:
Procedure
-
Locate the catalina.policy file.
The catalina.policy file is usually located in the Tomcat installation configuration directory. The exact path might vary depending on your operating system and Tomcat version.
- Open the catalina.policy file in a text editor.
-
Locate the "grant" block.
Look for a block starting with the keyword "grant" followed by one or more "permission" statements.
-
Add the required permissions as follows:
- Save the catalina.policy file.
- Restart the Tomcat server to apply the changes.