Welcome
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Administering AppScan® Source
This section explains user management, permissions, application and project registration, and port configuration.
Creating AppScan® Source users
Typically, administrators will have users log in to AppScan® Source products with their AppScan Enterprise Server credentials. However, if there is cause for having AppScan Source users that do not exist in the AppScan Enterprise Server, administrators can create local AppScan Source users, according to the instructions in this topic.
Creating local product administrator users in AppScan® Enterprise Server Liberty
As of AppScan® Enterprise Server Version 9.0.1, you have the ability to create a local product administrator user in AppScan Enterprise Server Liberty in order to administer AppScan Source. After the user is created, the AppScan Source Database must be registered with AppScan Enterprise Server using the administrator credentials.
Encrypting the administrator password
When creating a local product administrator user for an AppScan® Enterprise Server, you add the administrator user and password to the server.xml file. You can encrypt that password by following the instructions in this topic.

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore new features added to AppScan® Source and note any features and capabilities deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
- Administering AppScan® Source
  This section explains user management, permissions, application and project registration, and port configuration.
  - User accounts and permissions
    Before AppScan® Source users can begin to scan or triage results, an administrator must create user accounts and assign permissions to the accounts.
  - Using AppScan® Source for Analysis in standalone mode
    You can use AppScan® Source for Analysis while not connected to an AppScan Enterprise or the AppScan Database Service. However, you will be unable to share scans or assessments with other AppScan Source clients.
  - Creating AppScan® Source users
    Typically, administrators will have users log in to AppScan® Source products with their AppScan Enterprise Server credentials. However, if there is cause for having AppScan Source users that do not exist in the AppScan Enterprise Server, administrators can create local AppScan Source users, according to the instructions in this topic.
    - AppScan® Enterprise Server authentication: Migration considerations for replacement of the IBM® Rational® Jazz™ user authentication component with IBM® WebSphere® Liberty
      This topic describes user management-related migration considerations that you may need to consider if you are upgrading from a previous version of AppScan® Enterprise Server.
    - Configuring automatic login of AppScan® Enterprise Server users
      By default, AppScan® Enterprise Server users can log in to AppScan Source and automatically be added to the AppScan Source Database (these users will be listed as AppScan Enterprise Server users). This feature can be configured in the AppScan Source for Analysis user interface according to the instructions in this topic.
    - Creating local product administrator users in AppScan® Enterprise Server Liberty
      As of AppScan® Enterprise Server Version 9.0.1, you have the ability to create a local product administrator user in AppScan Enterprise Server Liberty in order to administer AppScan Source. After the user is created, the AppScan Source Database must be registered with AppScan Enterprise Server using the administrator credentials.
      - Creating a local product administrator user for an AppScan® Enterprise Server that is configured with LDAP
      - Creating a local product administrator user for an AppScan® Enterprise Server that is configured with Windows™ authentication
      - Encrypting the administrator password
        When creating a local product administrator user for an AppScan® Enterprise Server, you add the administrator user and password to the server.xml file. You can encrypt that password by following the instructions in this topic.
    - Creating a user account for the Automation Server
      A user account is required for Automation Server use. This user account must be registered with the Automation Server during installation or by command line post-installation. A corresponding AppScan® Source user account must also then be created manually post-installation with AppScan Source for Analysis or the AppScan Source command line interface (CLI). This topic describes creating this account using AppScan Source for Analysis.
- Auditing user activity
  AppScan® Source offers a convenient location for auditing user activity. The Audit view logs events such as authentication to the AppScan Enterprise Server, the creation of new users, and the creation of new rules in the database.
- Logging in to AppScan® Enterprise Server from AppScan® Source products
  Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments. All user management occurs in AppScan Enterprise.
- LDAP integration
  To add an AppScan® Source user that will be authenticated via LDAP, you must have configured the AppScan Enterprise Server user repository to use an LDAP repository.
- Registering applications and projects for publishing to AppScan® Source
- AppScan® Source application, folder, and project files
  AppScan® Source applications, folders, and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. These files should reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system.
- Port configuration
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Encrypting the administrator password

When creating a local product administrator user for an AppScan® Enterprise Server, you add the administrator user and password to the server.xml file. You can encrypt that password by following the instructions in this topic.

When you edit the server.xml file (by following the instructions in Creating a local product administrator user for an AppScan Enterprise Server that is configured with LDAP or Creating a local product administrator user for an AppScan Enterprise Server that is configured with Windows authentication), you can use the securityUtility tool to encode the password for the administrator user. On Windows™, the tool is located in Liberty\bin in the AppScan® Enterprise Server installation directory. On Linux™, the tool is located in Liberty/bin. When you run the securityUtility encode command, you either supply the password to encode as an input from the command line or, if no arguments are specified, the tool prompts you for the password. The tool then outputs the encoded value. For example, to encode a password value of ADMIN, issue the securityUtility encode ADMIN command. This should generate an output value of {xor}HhsSFhE=.

Copy the value that is generated by the tool, and use that value for the password when adding the basicRegistry section to the server.xml file. For example, add this to the file:

<basicRegistry id="basic" realm="customRealm">
  <user name="ADMIN" password="{xor}HhsSFhE=" />
</basicRegistry>