How to enable connections and publish assessments for different versions of AppScan Source and AppScan Enterprise
How do you allow IBM Security AppScan Source to connect to IBM Security AppScan Enterprise and
publish assessments to AppScan Enterprise Console when you have different versions of the AppScan Source and AppScan Enterprise products?
Historically, the integration between AppScan Enterprise and AppScan Source meant that the version and release level of both products had to match. (Note: This is still valid for versions prior to v9.0.1) Older versions of AppScan Source were supported in AppScan Enterprise for importing security results only, but connecting for regular AppScan Source use was not allowed.
However this has changed with the release of AppScan Enterprise 22.214.171.124 iFix4, 126.96.36.199 iFix2, and 9.0.3 iFix4 in January 2016.
A small number of users are affected by IBM Product Security Incident Response 5843. An update has been made available for AppScan Enterprise and AppScan Source users for this security incident (see http://www.ibm.com/support/docview.wss?uid=swg24043198). That update is only required if you use the AppScan Source Database for storing local AppScan Source users. It is not required if you use AppScan Enterprise Server for user management. If you apply the update, you must upgrade to AppScan Enterprise Server Version 188.8.131.52 iFix001.
For all other scenarios, check these use cases:
1. When the AppScan Source version is older than AppScan Enterprise
Beginning with v9.0.1, there was a workaround that allowed the connection by adding in AppScan Enterprise the following property: allow.older.source.clients=true to: <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties
With the following iFix releases, as of AppScan Source 9.0.1, you do not need to add this property when connecting to the following versions of AppScan Enterprise:
9.0.3 iFix4 and later
2. When the AppScan Source version is newer than AppScan Enterprise
In the past, this connection was not allowed because there could be major consequences (for example, if a newer AppScan Source version has new issue types, those issue types could not be imported into an older AppScan Enterprise version that didn't have matching issue types).
You may allow this connection from AppScan Source 9.0.1 and later to the following versions of AppScan Enterprise:
9.0.3 iFix4 and later
by adding the following property: allow.newer.source.clients=true
to the asc.properties file in <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\config
This table summarizes how the connection is allowed between various versions of AppScan Source and AppScan Enterprise:
|AppScan Source 9.0.1||AppScan Source 9.0.2||AppScan Source 9.0.3|
|AppScan Enterprise 184.108.40.206 iFix4||By default||Add property||Add property|
|AppScan Enterprise 220.127.116.11 iFix2||By default||Default||Add property|
|AppScan Enterprise 9.0.3 iFix4||By default||By default||By default|
By default - Connection allowed by default.
Add property - Connection allowed by adding the allow.newer.source.clients=true property.
|Security||IBM Security AppScan Source||Platform Independent||Version Independent|
More support for:
IBM Security AppScan Enterprise
Software version: Version Independent
Operating system(s): Windows
Software edition: Enterprise
Reference #: 1975211
Modified date: 07 November 2017