We have configured local Jenkins instance(Installed the required ZAP plugins) where ZAP is Installed and tried to perform ZAP Scan using Jenkins Job. ZAP Scan is happening from the local Jenkins Instance and we can able see the progress and scan is getting completed.
We need to move this Jenkins configuration to Remote Jenkins Instance where our other deployment Jobs are present.
We have created node for ZAP Host and when we are trying to run ZAP Scan,The Scan is getting initiated but the progress is 0% .
I checked the firewall settings in the ZAP host. Seems like it is not firewall issue.
I have set the proxies in ZAP, Jenkins and Browser.
We are using localhost:8080 which is default. If we are changing that to IP:8080 by adding IP:8080 in local proxies it is not working.
Do we need to make any other changes.
Have you configured ZAP to accept remote connections?
By default ZAP will now also only allow connections from the local machine. You can set which IP addresses can connect to the API using the command line:
-config api.addrs.addr.name=123.456.789.123
If you are using ZAP in a completely isolated environment you can allow all IP addresses to connect to the ZAP API using:
-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
You will also need to set or disable the API key
For more details see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQremote
Related
I'm trying to use the zap proxy running on docker image. It works good on my local machine but when trying to use it behind corporate network the zap proxy requests timeout because it can't connect to the internet. I already have configured the http_proxy and https_proxy environmental variables but it seems that zap proxy isn't using them
You can configure a chained proxy (outbound proxy) for ZAP to use. Via Tools : Options > Connection (in the GUI), or the endpoints below in the API.
optionUseProxyChain
optionUseProxyChainAuth
optionProxyChainName
optionProxyChainPassword
optionProxyChainPort
optionProxyChainPrompt
optionProxyChainRealm
optionProxyChainSkipName
optionProxyChainUsername
proxyChainExcludeDomains
I have a squid proxy container on my local Docker for Mac (datadog/squid image). Essentially I use this proxy so that app containers on my local docker and the browser pod (Selenium) on another host use the same network for testing (so that the remote browser can access the app host). But with my current setup, when I run my tests the browser starts up on the remote host and then after a bit fails the test. The message on the browser is ERR_PROXY_CONNECTION_FAILED right before it closes. So I assume that there is an issue with my squid proxy config. I use the default config and on the docker hub site it says
Please note that the stock configuration available with the container is set for local access, you may need to tweak it if your network scenario is different.
I'm not really sure how my network scenario is different. What should I be looking into for more information? Thanks!
Can someone help me to write script to perform below steps in weblogic.
1.Stop Managed Servers
2.Stop Node Manager
3.Stop Admin Server
4.Delete the tmp,cache folders.
The steps you mentioned can be done with WLST and Node Manager. However, you need to make the following adjustments:
Configure Node Manager/WebLogic Domain to stop using the demo SSL certificate when accessing/starting Node Manager.
Configure Node Manager
Edit nodemanager.properties and set the following:
SecureListener to false
QuitEnabled to true
Restart Node Manager
Configure WebLogic Domain
Login to WebLogic Domain
Under Environment, Machines: click the Machine name configured
Under Configuration, Node Manager: set Type to Plain and save
Restart WebLogic Domain (Admin Server + Managed Servers)
Configure WebLogic Domain's Node Manager Credentials. The default is usually the username/password you entered when creating the WebLogic Domain. However, it is also a good idea to set different credentials for the Node Manager. This is totally optional, especially when working in a development environment.
Login to WebLogic Domain
Under Domain Structure, click the Weblogic Domain name
Under Security, General: click Advanced
Set the NodeManager Username and NodeManager Password/Confirm NodeManager Password and click Save
For this answer, I will use nodemanager/nodemanager_pwd as sample values.
Assuming you have one Admin Server and one Managed Server, both on the same machine, write the following commands in a Python script:
# Connect to the Node Manager running on localhost with port 5556.
# Change the DOMAIN_NAME and the DOMAIN_HOME as appropriate
nmConnect('nodemanager','nodemanager_pwd','localhost','5556','DOMAIN_NAME','DOMAIN_HOME','PLAIN')
# Start the Admin Server.
# The following command assumes that the
# name of the Admin Server is AdminServer
nmServerStart('AdminServer')
# Start the Managed Server. Again, change the Managed Server name as appropriate
nmServerStart('Managed_Server_01')
To stop the Managed Server and Admin Server, it's the opposite direction with the sequence, and now you need to use the nmKill command. The stopNodeManager() is possible if the QuitEnabled property was set to true in the nodemanager.properties file.
nmConnect('nodemanager','nodemanager_pwd','localhost','5556','DOMAIN_NAME','DOMAIN_HOME','PLAIN')
nmKill('Managed_Server_01')
nmKill('AdminServer')
stopNodeManager()
When invoking the Python script that contains the commands above, execute the following command:
$MW_HOME/oracle_common/common/bin/wlst.sh startup.py
$MW_HOME/oracle_common/common/bin/wlst.sh shutdown.py
As for the clearing of the tmp/cache folders, these can all be done via shell script (assuming you're running on Linux)
When using a Bamboo cloud agent, on Windows, you're instructed to have a Bamboo Windows user with a default known password: Atlassian1.
It clearly says that this user should be configured to denied remote login.
But still, it's an active Windows user with a fair bit of permissions. Bamboo's server (cloud) interacts with the machine in a known port - 26224. Through this channel it sends all build commands, get build status from the remote agent etc.
What prevents a hacker from scanning the Internet, find a host with port 26224 open and start talking with the Bamboo agent? How does the agent know for sure that it talks to a legitimate Bamboo CI server?
I'm asking that in order to be fully confident that there is no possible attack vector.
The Security documentation for Bamboo states:
Please note the following security implications when enabling remote agents for Bamboo:
No encryption of data passed between server and agent — this includes data such as:
login credentials for version control repositories
build logs
build artifacts
No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:
Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.
Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.
See Agent authentication for more information.
We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is Disabling and enabling remote agents support by default.
For public facing agents, Atlassian strongly recommends securing them which is done using SSL. See Securing your remote agents which contains this note:
This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.
Further more to the Elastic Piece, their documentation on Elastic Bamboo Security states:
All traffic sent between the agents located in EC2 and the Bamboo server is tunnelled through an SSL-encrypted tunnel. The tunnel will be initiated from the Bamboo Server to the EC2 instance, which means that you don't need to allow any inbound connections to your server. You will need to permit outbound traffic from the server on the tunnel port, however - the default port number is 26224. On the EC2 instance, only the tunnel port needs to be open for inbound traffic.
I need a way to use Glassfish 3.1.2.2 admin service (REST call to deploy and configre) from a remote machine and from local machine (command line and applications).
It is clear that for remote access it is necessary to enable secure admin. If we enable secure admin it will break all local access from applications. These application can not be changed to using https to access the admin service. Only thing I can change is that we can use a different port.
I see two possible ways for me:
Using a hack. So I can administrate with secure administrate disable. So I can use plan http. For use a possible solution, because this machine used internally in a test environment.
Configure Glassfish that we can use admin service remote via secure access https and from a local environment with http.
We prefer solution 1, because it fit better in our environment and we have lesser effort. At the moment I see no way or exist a solution (not for production)?
I tried something for solution 2, simular to http-listener-1 http-listener-2. So use two ports 4848 for local unsecure access and as example 4949 for remote secure access.But I always fail with configuration. So I start with a step by step configuration. First enable admin interface oon two ports and as second step I want to add the secure access to the new port admin-listener. But I got only one of the ports working.Please can anyone help me with target configuration? Any domain.xml will be welcome.
Thanks florian
You can try to use SSH and run asadmin utilities from remote machine.