Configuring the HCL AppScan Traffic Recorder
Changes you can make in the configuration file Settings.json for use with HCL AppScan Traffic Recorder
FIPS Compliant mode
- Locate the file Settings.json in the root folder of the HCL AppScan Traffic Recorder and open it in a text editor.
- Locate the setting
requireFips
property and change its value fromfalse
totrue
. - Save the file.
Traffic Recorder connection
- Configure a default port for the Traffic Recorder to Settings.json.
- Configure a secure (SSL) connection to the traffic recorder. You can do this
using your own certificate (Method A) or a self-signed certificate (Method
B).Method A: Configure your own PEM or PKCS12 certificate, in Settings.json:PEM:
- A PEM certificate requires two file paths (to
private.key and
certificate.pem).
- Insert the file paths to the PEM section of
Settings.json.Note: Escaping is required for the
\
character. or example,C:\\Users\\admin\\private.key
.
- Insert the file paths to the PEM section of
Settings.json.
PKCS12:You must escape characters as needed both in file paths and password. For instance, a password such as
abc!”123
becomesabc!\”123
(the“
symbol is escaped).- In the command line,
run:
.\Java\bin\java.exe -jar .\DastProxy.jar -sc "C:\Path\to\certificate.pfx"
- When prompted, enter the certificate’s password and click Enter.
Example using OpenSSL to create a PEM certificate:openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt
Example using OpenSSL to convert the PEM certificate to PKCS12 certificate:openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in server.crt
Example using Java’s keygen tool to convert a JKS certificate to PKCS12 certificate:keytool -importkeystore -srckeystore certificate.jks -srcstoretype JKS -destkeystore certificate.p12 -deststoretype PKCS12
Method B: If you don’t have a certificate, you must create and use a self-signed certificate. This method is less secure.- Option A:Using OpenSSL
- OpenSSL is not included and is not required except for
creating the self-signed certificate.
- Create the key and PEM files using the OpenSSL
command:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.pem
- Insert the file paths to the PEM section of
Settings.json
.Note: Escaping is required for the\
character. For example:"C:\\Users\\admin\\private.key"
- Create the key and PEM files using the OpenSSL
command:
- Option B: Using Java keytool
- For NodeJS 17 and above you must use
--openssl-legacy-provider
node flag due to keytool limitation, see https://nodejs.org/api/cli.html#--openssl-legacy-provider- In the command line, open the Traffic Recorder root folder.
- Create a PKCS12 certificate file using this
command:
.\Java\bin\keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore-new.p12 -storetype PKCS12 -validity 365 -keysize 2048
- Complete the certificate details and protect it with
a password.
The password needed in the next step.
- Use the generated certificate in the HCL AppScan Traffic Recorder using the
command:
.\Java\bin\java.exe -jar .\DastProxy.jar -sc "keystore-new.p12"
- A PEM certificate requires two file paths (to
private.key and
certificate.pem).
Root certificate
If the application you are testing uses SSL (HTTPS), the HCL AppScan Traffic Recorder must act as a man-in-the-middle to record traffic. To do this it must have a root certificate that it can use to sign its communication with the application.
- Install the certificate generated by the HCL AppScan Traffic Recorder on your machine(s):
- Use the REST API to download the self-signed Root Certificate
Authority, used by the HCL AppScan Traffic Recorder, as
a
PEM
file. - Install it on the browser used for the Explore, or wherever needed (depending on where the traffic is sent from).
- Use the REST API to download the self-signed Root Certificate
Authority, used by the HCL AppScan Traffic Recorder, as
a
- Import your own root certificate to the HCL AppScan Traffic Recorder:
- Open a command line window and navigate to the installation folder on the traffic recorder machine.
- Run the following
command:
To see the complete command usage, run:.\Java\bin\java -jar DastProxy.jar -irc [path to certificate file] -ircp [password]
.\Java\bin\java -jar DastProxy.jar
Important: Since the certificate will be saved on the traffic recorder, it is recommended that you use a dedicated test certificate.Note: Supported certificate formats are PKCS12 (.P12, .PFX), JKS.
- Provide your own fixed server certificate (not a root certificate) in
the
StartProxy
command.
Set inactivity timeout
If a Traffic Recorder instance is not closed with a close command after use, it remains open and listening on the port. Traffic Recorder instances are closed automatically if they are idle for a predefined time.
The default inactivity timeout for traffic recorder instances is 60 minutes. Change this value in“inactivityTimeoutInMinutes”
in the Settings.json
file, found in the installation folder.Encrypt traffic
By default, the traffic (.DAST.CONFIG) file is not encrypted. To
configure the server to encrypt all traffic, change the
"encryptDastConfig"
value to true
in the
Settings.json
file, found in the installation folder.
Chained proxy
If you need to define more than one chained proxy, or exceptions to the proxy, use
the chained proxy rules file (proxy.chain
) found in the
installation folder. The file includes instructions for use.