How do you obtain and apply licenses for IBM Security AppScan Source products?
How to obtain licenses
AppScan Source uses the Rational Common Licensing system. You obtain the licenses at the License Key Center (LKC), as described in this video, How to acquire licenses from License Key Center, or in How to generate license keys at License Key Center.
If you are obtaining licenses (nodelocked licenses) for AppScan Source on OS X, consult How to generate licenses for OS X.
Note: You do NOT receive licenses for AppScan products that you have purchased from your IBM Sales representative or from AppScan Support (with some exceptions for evaluation licenses). Instead, you or the primary contact with IBM at your company obtains the licenses from the LKC as described above.
License keys in LKC
AppScan Source requires a separate license key for each of the four AppScan Source products. The licenses are either nodelocked or floating. To use most of the AppScan Source products, you also need a license for installing the AppScan Enterprise Server. Here are the different AppScan Source products with the names of their licenses as they appear in the License Key Center (LKC):
- AppScan Source for Analysis
This is a standalone application for viewing assessments, running scans, and generating reports. It requires a license key named AppScanSourceSec that is nodelocked or floating.
The nodelocked license allows you to open and use AppScan Source for Analysis instances on the particular machine for which the license is generated. In the License Key Center, this license is referred to as:
IBM Security Appscan Source For Analysis Authorized User Single Install License Key
The floating license allows you to use AppScan Source for Analysis on any machine that has a TCP/IP connection to the license server. The license is checked out when you open an AppScan Source instance, and returned when the AppScan Source instance is closed. In the License Key Center, this license is referred to as:
IBM Security Appscan Source Edition Security Floating User License Key
- AppScan Source for Remediation
This is a plug-in for the Eclipse, Rational Application Developer for WebSphere Software (RAD), and Visual Studio development environments. The license key for this plug-in is called AppScanSourceRem. It allows you to open, view, and modify assessments.
In the License Key Center, the nodelocked license is referred to as:
IBM Security Appscan Source for Remediation Authorized User Single Install License Key
The floating license is checked out when opening an assessment, and returned back to the license server when closing the development environment. In the License Key Center, this license is referred to as:
IBM Security Appscan Source Remediation Floating User License Key
- AppScan Source for Development
This is a plug-in for the Eclipse, RAD, and Visual Studio development environments. The license key for this plug-in is called AppScanSourceDev. It allows you to scan source code for security vulnerabilities. However, this component requires also a AppScanSourceRem (Remediation) license in addition to the AppScanSourceDev license. The Remediation license allows you to open, view, and modify assessments. If you order the AppScan Source for Development component, you will receive a set of both licenses, AppScanSourceDev and AppScanSourceRem.
In the License Key Center, the AppScanSourceDev nodelocked license is referred to as:
IBM Security AppScan Source For Development Scan Authorized User Single Install license key
The floating license is checked out when starting a scan and returned back to the license server when closing the development environment. In the License Key Center, this license is referred to as:
IBM Security AppScan Source for Development Scan Floating Single Install license key
Note: Since the Development plug-in license needs to be complemented by a license for viewing assessments, the above Development plug-in license is often accompanied by one of these licenses which cover the same functionality as the corresponding Remediation plug-in license:
- License Key Center nodelocked license: IBM Security AppScan Source for Development Base Floating Single Install license key
- License Key Center floating license: IBM Security AppScan Source For Development Base Authorized User Single Install license key
- AppScan Source for Automation
This is a server installation that is targeted for build environments. The license key is called AppScanSourceAuto. There are two tools that require an automation license:
- The command line tool, AppScanSrcCli, can be run manually from a shell or called by a script.
- The ounceauto service or daemon, which is used for automating scans (often with various build tools such as Build Forge, Jenkins, and Apache Maven).
- AppScan Enterprise Server
To be able to use most features in AppScan Source, you need to install the "User Administration" part of the AppScan Enterprise product. The "User Administration" part is needed to authenticate users of AppScan Source applications - and it requires an AppScanServerPremium or AppScanServerBasic license. These licenses are only floating and, in the License Key Center, they are referred to as:
IBM Security AppScan Enterprise Svr Basic Per Install License Key and
IBM Security AppScan Enterprise Svr Per Install License Key
These AppScan Enterprise licenses are described in Licensing for AppScan Enterprise.
Note: You can run AppScan Source for Development (version 9.0 and later) without AppScan Enterprise Server. If you do not use the server for this product, you cannot access shared items such as filters, scan configurations, and custom rules.
In the License Key Center, the nodelocked license is referred to as:
IBM Security Appscan Source For Automation Install License
In the License Key Center, the floating license is referred to as:
IBM Security AppScan Source Edition for Automation Floating license key
How to apply the licenses
Appscan Source licenses are either nodelocked or floating, and they are applied differently.
Nodelocked licenses are license files that are saved to the machines on which AppScan Source components and products are installed. You import the licenses with AppScan Source License Manager, a tool that is installed by default with each of the AppScan products. You use the "Import license" button in the menu bar of License Manager to import a nodelocked license (see the screen capture below).
Floating licenses are managed by the License Key Server. You need to install the License Key Server, and then import the floating license keys into it using the License Key Administrator. You will then need to open the AppScan Source License Manager on the machines where you installed AppScan Source and point it to the License Server. To do this, use the "Configure license servers" button to point it to the license server(s), as marked in the screen capture.
You can start License Manager from the Windows Start menu on Windows or by running licensemgr.sh on Linux or OS X.
Note: License Manager shows the total number of licenses imported, and it does not show the number of licenses in use (or not in use).
1. Installing a new AppScan Source product
- Download and install License Key Server version 8.1.4 or newer.
- Get AppScan Source and AppScan Enterprise license keys from the License Key Center as described above.
- Import the floating keys into the License Key Server (the AppScan Enterprise license, and AppScan Source floating licenses if you are using any).
- Install AppScan Enterprise Server, and then install the AppScan Source products for which you have licenses.
- Open AppScan Source License Manager on the machines where you installed the AppScan Source products and import the nodelocked licenses or configure the license servers for floating licenses.
2. Upgrading AppScan Source to a newer version
- When upgrading to a newer version of AppScan Source, you do not need to make any changes to the licensing if you are upgrading from version 8.5 or newer.
- If upgrading from AppScan Source versions 6.2 to 126.96.36.199, perform a new installation as described in scenario #1.
3. Moving License Key Server to another machine
- Move the License Server and the license keys as described in How to transfer License Key Server or license keys.
- Open AppScan Source License Manager on the machines where you installed the AppScan Source products and reconfigure the license servers for floating licenses.
- Reconfigure AppScan Enterprise Server to use the new License Key Server by running the Configuration Wizard.
4. Moving AppScan Source to another machine
- If the License Key Server is going to be moved as well, then refer to scenario #3 for moving the License Key Server.
- If the AppScan Enterprise Server is going to be moved as well, stop the AppScan Enterprise Service or uninstall AppScan Enterprise Server on the old machine, and install AppScan Enterprise Server on the new machine.
- If you are using floating licenses for AppScan Source products, install the AppScan Source products on the new machines and then open the License Manager and point it to the License Server.
- If you are using nodelocked licenses for the AppScan Source products, transfer the license keys to the new machines as described in How to transfer License Key Server or license keys and then import the new license keys into the new AppScan Source installations using License Manager.