How do you obtain and apply licenses for IBM Security AppScan Source products?
How to obtain licenses
AppScan Source uses the Rational Common Licensing system. You obtain the licenses at License Key Center (LKC), as described in this video How to acquire licenses from License Key Center or in this technote How to generate license keys at License Key Center.
If you are obtaining Nodelocked licenses for AppScan Source on OS X, consult How to generate licenses for OS X.
Note: You do NOT receive licenses for AppScan products you have purchased from your IBM Sales representative or from AppScan Support (with some exceptions for evaluation licenses). Instead you or the Primary Contact with IBM at your company checks out the licenses at LKC as described above.
License keys in LKC
AppScan Source require a separate license key for each of the four AppScan Source products. The licenses can be of type Nodelocked or Floating. It also requires a license for installing the AppScan Enterprise Server. Lets describe the products one by one, and give names of the licenses as they appear in the License Key Center (LKC):
- AppScan Source for Analysis
This is a standalone application for viewing assessments, running scans and generating reports. It requires a license key named AppScanSourceSec of type Nodelocked or Floating.
The Nodelocked license allows you to open and use AppScan Source for Analysis instances on the particular machine for which the license is generated. The license is called in License Key Center:
- IBM Security Appscan Source For Analysis Authorized User Single Install License Key
The Floating license allows you to use AppScan Source for Analysis on any machine having a TCP/IP connection to the License Server. The license is checked out when you open an AppScan Source instance, and returned when the AppScan Source instance is closed. The license is called in License Key Center:
- IBM Security Appscan Source Edition Security Floating User License Key
- AppScan Source for Remediation
This is a plugin for the Eclipse, RAD and Visual Studio IDEs. The license key for the Remediation plugin is called AppScanSourceRem. It allows you to open, view and modify assessments.
The Nodelocked license is called in LKC:
- IBM Security Appscan Source for Remediation Authorized User Single Install License Key
The Floating license is checked out when opening an assessment, and returned back to the License Server when closing the IDE. The licenses is called in License Key Center:
- IBM Security Appscan Source Remediation Floating User License Key
- AppScan Source for Development
This is a plugin for the Eclipse, RAD and Visual Studio IDEs. The License key for Development plugin is called AppScanSourceDev. It allows you to run scans. You must have a Remediation license in addition to a Development license to run the Development plugin successfully.
The Nodelocked license is called in License Key Center:
- IBM Security AppScan Source For Development Scan Authorized User Single Install license key
The Floating license is checked out when starting a scan and returned back to the License Server when closing the IDE. The license is called in License Key Center:
- IBM Security AppScan Source for Development Scan Floating Single Install license key
Note: Since the Development plugin license needs to be complemented by a license for viewing assessments, often the above Development plugin licenses are accompanied by one of the following licenses which cover the same functionality as the corresponding Remediation plugin license:
The Nodelocked license is called in License Key Center:
- IBM Security AppScan Source for Development Base Floating Single Install license key
The Floating license is called in License Key Center:
- IBM Security AppScan Source For Development Base Authorized User Single Install license key
- AppScan Source for Automation
This is a server installation that is targeted at build environments. The License key is called AppScanSourceAuto. There are two tools that require an automation license:
- The command line tool, AppScanSrcCli, can be run manually from a shell or called by a script
- ounceauto - service or daemon. It is used for automating scans and is often used with various build tools, Build Forge, Jenkins, maven, etc.
The Nodelocked license keys is called in License Key Center:
- IBM Security Appscan Source For Automation Install License
The Floating license key is called in License Key Center:
- IBM Security AppScan Source Edition for Automation Floating license key
- AppScan Enterprise Server
For an installation of AppScan Source, you need to install the "User Administration" part of the AppScan Enterprise product as well. The "User Administration" part is needed to authenticate users of the AppScan Source applications. In order to install it you need a license AppScanServerPremium or AppScanServerBasic These licenses are only of type Floating. The licenses are called respectively in License Key Center:
- IBM Security AppScan Enterprise Svr Basic Per Install License Key
- IBM Security AppScan Enterprise Svr Per Install License Key
Those AppScan Enterprise licenses are described in Licensing for AppScan Enterprise
How to apply the licenses
There are two types of Appscan Source licenses, Nodelocked or Floating, and they are applied differently.
Nodelocked licenses are imported on the machines where AppScan Source tools are installed.
You import the licenses with License Manager, a tool that is installed by default with each of the AppScan products. You use the "Import license" button in the menu bar of License Manager to import the Nodelocked licenses (see the screen capture below).
Floating licenses are managed by License Key Server. You need to install License Key Server, and then import the Floating license keys into the License Server using it's License Key Administrator. However, you will need also to open License Manager on the machines where you installed AppScan Source and point it to the License Server. Use the "Configure license servers" button in the menu bar of License Manager to point it to the license server(s), as marked in the screen capture.
You can start License Manager from the Windows Start menu on Windows or by running licensemgr.sh on Linux. A screen capture of License Manager is as follows:
Note: License Manager shows the total number of licenses imported, and it does not show the number of licenses in use (or not in use).
1. Installing a new AppScan Source product
- Download and install License Key Server version 8.1.4 or newer.
- Get AppScan Source and AppScan Enterprise license keys from License Key Center as described above.
- Import the Floating keys into License Key Server.
- Install AppScan Enterprise Server, and then install AppScan Source products for which you have license.
- Open License Manager on the machines where you installed AppScan Source products and:
- if having Floating licenses for the AppScan Source products, point the License Manager to the License Server
- if having Nodelocked licenses for the AppScan Source products, import them.
2. Uppgrading AppScan Source to a newer version
- When upgrading to a newer version of AppScan Source, you do not need to make any changes to the licensing if you upgrading from a version 8.5 or newer.
- If upgrading from AppScan Source versions 6.2-220.127.116.11, proceed as with a new installation described in scenario #1.
3. Moving License Key Server to another machine
- Move the License Server and the license keys as described in: How to transfer License Key Server or license keys
- repoint the License Manager to the new License Server if you are using Floating licenses for the AppScan Source products and re-point the AppScan Enterprise Server to the new License Key Server by running the Configuration Wizard.
4. Moving AppScan Source to another machine
- If the License Key Server is going to be moved as well, then refer to scenario #3 for moving the License Key Server.
- If the AppScan Enterprise Server is going to be moved as well, stop AppScan Enterprise Service or uninstall AppScan Enterprise Server on the old machine, and install AppScan Enterprise Server on the new machine.
- If having Floating licenses for the AppScan Source products, after installing the AppScan Source products on the new machines, open there License Manager and point it to the License Server.
- If having Nodelocked licenses for the AppScan Source products, transfer the license keys to the new machines as described in How to transfer License Key Server or license keys and then import the new license keys into the new AppScan Source installations using License Manager.