IBM Support

How to enable connections and publish assessments for different versions of AppScan Source and AppScan Enterprise

Technote (FAQ)


Question

How do you allow IBM Security AppScan Source to connect to IBM Security AppScan Enterprise and
publish assessments to AppScan Enterprise Console when you have different versions of the AppScan Source and AppScan Enterprise products?

Cause

Historically, the integration between AppScan Enterprise and AppScan Source meant that the version and release level of both products had to match. (Note: This is still valid for versions prior to v9.0.1) Older versions of AppScan Source were supported in AppScan Enterprise for importing security results only, but connecting for regular AppScan Source use was not allowed.
However this has changed with the release of AppScan Enterprise 9.0.1.1 iFix4, 9.0.2.1 iFix2, and 9.0.3 iFix4 in January 2016.


Answer

A small number of users are affected by IBM Product Security Incident Response 5843. An update has been made available for AppScan Enterprise and AppScan Source users for this security incident (see http://www.ibm.com/support/docview.wss?uid=swg24043198). That update is only required if you use the AppScan Source Database for storing local AppScan Source users. It is not required if you use AppScan Enterprise Server for user management. If you apply the update, you must upgrade to AppScan Enterprise Server Version 9.0.3.4 iFix001.

For all other scenarios, check these use cases:

1. When the AppScan Source version is older than AppScan Enterprise

Beginning with v9.0.1, there was a workaround that allowed the connection by adding in AppScan Enterprise the following property: allow.older.source.clients=true to: <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties

With the following iFix releases, as of AppScan Source 9.0.1, you do not need to add this property when connecting to the following versions of AppScan Enterprise:

   9.0.1.1 iFix4
   9.0.2.1 iFix2
   9.0.3 iFix4 and later

2. When the AppScan Source version is newer than AppScan Enterprise

In the past, this connection was not allowed because there could be major consequences (for example, if a newer AppScan Source version has new issue types, those issue types could not be imported into an older AppScan Enterprise version that didn't have matching issue types).

You may allow this connection from AppScan Source 9.0.1 and later to the following versions of AppScan Enterprise:

   9.0.1.1 iFix4
   9.0.2.1 iFix2
   9.0.3 iFix4 and later

by adding the following property: allow.newer.source.clients=true
to the asc.properties file in <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase\config


This table summarizes how the connection is allowed between various versions of AppScan Source and AppScan Enterprise:

AppScan Source 9.0.1 AppScan Source 9.0.2 AppScan Source 9.0.3
AppScan Enterprise 9.0.1.1 iFix4 By default Add property Add property
AppScan Enterprise 9.0.2.1 iFix2 By default Default Add property
AppScan Enterprise 9.0.3 iFix4 By default By default By default

By default
- Connection allowed by default.
Add property - Connection allowed by adding the allow.newer.source.clients=true property.



Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security AppScan Source Platform Independent Version Independent

Document information

More support for: IBM Security AppScan Enterprise
Integration

Software version: Version Independent

Operating system(s): Windows

Software edition: Enterprise

Reference #: 1975211

Modified date: 07 November 2017