Enabling Application Protection

Scenario

To protect web applications, enable application protection for servers. While protection is enabled, the microservice RASP plug-ins are installed on servers.

How to Enable

Application protection can be enabled automatically or manually. The differences are as follows:

How to Enable	Advantage	Restriction	Operation
Automatic	You do not need to manually configure application protection startup parameters. HSS automatically identifies and accesses web applications that have listening ports on the protected servers, and dynamically loads or unloads application protection as needed when web applications are running.	This method depends on automatic dynamic RASP, which is in the OBT phase. To use this function, submit a service ticket. If a web application is just started and runs for 5 minutes or less, RASP cannot be enabled using this method. When the running time of the application exceeds 5 minutes, RASP is automatically enabled. Web applications of JRE 8, JRE 11, and JRE 17 are not supported. For JDK 17, --add-opens=java.base/java.lang=ALL-UNNAMED needs to be added to the web application startup parameters.	Automatically Enabling Application Protection
Manual	Web applications without listening ports can be accessed. Web applications of JRE 8, JRE 11, and JRE 17 are supported.	You need to manually configure application protection startup parameters for applications.	Manually Enabling Application Protection

Automatically Enabling Application Protection

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
Choose Server Protection > Application Protection. Click the Protected Servers tab.

If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

Figure 1 Viewing protection settings

Click Add Server. The Add Server slide-out panel is displayed.

Select servers and a protection policy. Click Add and Enable Protection. For more information, see Table 1.

Figure 2 Adding protected servers

**Table 1** Parameters for adding a protected server
Parameter	Description	Example Value
OS	Server OS type. It can be Linux or Windows.	Linux
Auto-enable Dynamic RASP	Whether to automatically enable dynamic RASP. If this function is enabled, JVM Attach capabilities are used to automatically identify and access web applications (including container environments) that have listening ports on servers, and to integrate application protection into the web applications. In this way, application protection can be dynamically loaded and unloaded when web applications are running. The web applications do not need to be restarted, thereby ensuring service continuity. If a web application is just started and runs for 5 minutes or less, the function cannot be enabled using this method. When the running time of the application exceeds 5 minutes, the function is automatically enabled. NOTE: This function is in the OBT phase. To use it, submit a service ticket.	Enabled
RASP Port	RASP listening port.	19999
Policy	Application protection policy. HSS provides a default policy, which contains all the detection rules of application protection. For details, see Detection Capabilities. If the default policy is not applicable to your workloads, you can create a custom policy. For details, see Adding a Protection Policy.	default policy

On the Protected Servers page, check whether the RASP Status of the server is Protected. If yes, RASP has been enabled for all the web applications on the server.
- If the RASP Status of a server is Enabling protection, the system is installing the RASP plug-in and enabling RASP for the server. Wait for several minutes.
- If the RASP Status of a server is Protection failed or Partially protected, click View Details in the Operation column of the server to view the cause of the protection failure and rectify faults accordingly.
  If information similar to the following is displayed, go to 7.
```
11\u0502 27, 2024 11:15:26 \u024f\u03a7 com.huawei.hisec.secshield.main.AttachMain verify\r\n\u044f\u0598: JDK 17 must contain parameter \"--add-opens=java.base/java.lang=ALL-UNNAMED\"\r\n11\u0502 27, 2024 11:15:26 \u024f\u03a7 com.huawei.hisec.secshield.main.AttachMain verify\r\n\u044f\u0598: JDK 17 must contain parameter \"--add-opens=java.base/java.lang=ALL-UNNAMED\"\r\n
```
(Optional) For a web application of JDK 17, add the --add-opens=java.base/java.lang=ALL-UNNAMED parameter to its startup script.
The configuration method varies depending on the application type and version. The following uses Apache Tomcat 11.0.0 as an example.
- Tomcat (Windows)
  Add the --add-opens=java.base/java.lang=ALL-UNNAMED parameter to the catalina.bat file in the bin directory of the Tomcat installation directory, as shown in Figure 3.
  
  Figure 3 catalina.bat
- Tomcat (Linux)
  Add the --add-opens=java.base/java.lang=ALL-UNNAMED parameter to the catalina.sh file in the bin directory of the Tomcat installation directory, as shown in Figure 4.
  
  Figure 4 catalina.sh
Wait for 5 to 10 minutes after the configuration is complete. If the RASP Status of the server is Protected, RASP has been enabled.

Manually Enabling Application Protection

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
Choose Server Protection > Application Protection. Click the Protected Servers tab.

If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

Figure 5 Viewing protection settings

Click Add Server. The Add Server slide-out panel is displayed.

Select servers and a protection policy. Click Add and Enable Protection. For more information, see Table 2.

Figure 6 Adding protected servers

**Table 2** Parameters for adding a protected server
Parameter	Description	Example Value
OS	Server OS type. It can be Linux or Windows.	Linux
RASP Port	RASP listening port.	19999
Policy	Application protection policy. HSS provides the default policy, which contains 16 detection rules. If the default policy is not applicable to your workloads, you can create a custom policy. For details, see Adding a Protection Policy.	default policy

On the Protected Servers tab page, check whether the RASP Status of the server is Unprotected.

If the RASP Status is Enabling protection, the system is installing the RASP plug-in on the server. Wait for several minutes.
Manually configure startup parameters for web applications to enable RASP protection.
1. Click Manual Configuration. The Configure Microservice RASP slide-out panel is displayed.
  Figure 7 Manual configuration
2. Select a web application. Copy the startup parameters as instructed, and paste the startup parameters to the startup script of the web application.
  Figure 8 Configuring startup parameters
3. After the startup parameters are set, restart the web application.
4. Wait for 5 to 10 minutes. In the Operation column of the server, click View Details. The Application Protection Details slide-out panel is displayed.
5. Check the RASP protection status of the web application. If the status is Protected, it indicates protection has been enabled.
  If a server has multiple web applications, perform the preceding operations for these web applications one by one. If you set startup parameters for only one web application, the protection status of the target server on the Protected Servers page will be Partially protected.

Related Operations

To change a protected RASP port, click Edit Port in the Operation column of a server. After the port is changed, the system will restart the RASP plug-in. It will take several minutes.

Parent Topic: Application Protection

Previous topic: Application Protection Overview

Next topic: Viewing Application Protection