Configuring authentication and connectivity for API scans

You can configure proxy settings, network authentication, and site authentication on the Authentication and Connectivity page of the API Scan Wizard. Options for configuring authentication include the following:

Configuring proxy settings for API and web service scans
Configuring network authentication for API and web service scans
Using a client certificate
Using custom headers
Configuring SOAP authentication

Note: Some options in this topic do not apply to legacy web services scans using a Web Service Definition Language (WSDL) file or an existing Web Service Test Design (WSD) file.

Configuring proxy settings for API and web service scans

If you need to access the target site through a proxy server, you can configure proxy settings on the Authentication and Connectivity page of the API Scan Wizard.

To configure proxy settings:

Select Network Proxy and then choose an option from the Proxy Profile list:
- Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig file and use this to configure the browser's Web proxy settings.
- Use System Proxy: Import your proxy server information from the local machine.
- Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the PAC.
- Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit to enter proxy information.
- Use Mozilla Firefox: Import your proxy server information from Firefox.
Important! Socks4 proxy servers do not support authentication. When using a Socks proxy server that requires authentication, you must use a Socks5 proxy.

Note: Electing to use browser proxy settings does not guarantee that you will access the Internet through a proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected, then a proxy server will not be used.

Configuring network authentication for API and web service scans

You can configure network authentication for accessing the Web server on the Authentication and Connectivity page of the API Scan Wizard.

To configure network authentication for the Web server:

Select Network Authentication.
In the Method drop-down list, select an authentication method. The API Type determines the available authentication methods. The complete list of methods is:
- ADFS CBT
- Automatic
- Basic
- Bearer
- Custom
- Digest
- Kerberos
- Negotiate
- NT LAN Manager (NTLM)
- OAuth 2.0 Bearer
Note: The ADFS CBT, Automatic, Kerberos, and Negotiate methods are not applicable to scans that use AuthProviders.

Continue according to the following table.

For this authentication type...	Do this...
ADFS CBT Automatic Basic Digest Kerberos Negotiate NTLM	Type the authentication username in the Username box. Type the authentication password in the Password box.
Custom	Type the custom header name or token name in the Scheme box. Type the token value in the Parameter box. When using Custom, you can fetch a token that is generated from a response to a workflow macro, and then use the token to apply state. For more information, see Fetching a token value. Note: Not available for SOAP web service scans.
Bearer	Type the token value in the Parameter box. When using Bearer, you can fetch a token that is generated from a response to a workflow macro, and then use the token to apply state. For more information, see Fetching a token value. Note: Not available for SOAP web service scans.
OAuth 2.0 Bearer	Click Configure and continue with Configuring OAuth 2.0 bearer credentials.

Fetching a token value

You can use a custom regular expression to fetch the token value from a login or workflow macro. If a match to the regular expression occurs in the response, then the value is fetched and used as a bearer token. If the regular expression contains parentheses, then the value inside the parentheses will be extracted and used as a bearer token. Only the first value inside parentheses will be used.

Note: Fetching a token value does not apply to OData or Swagger definition types.

To fetch a token value:

Select Fetch Token From Macro.
Do one of the following:
- To import an existing macro, click , and then locate and select the file to import.
- To record a macro, click .
Type a regular expression for pattern matching in the Fetch Token Search Pattern box.
Do one of the following:
- To have each scan thread run its own fetch macro playback and apply the bearer token value to the thread, select the Isolate State check box.
- To have only one fetch macro playback run for all scan threads and the single shared bearer token value apply to all threads, clear the Isolate State check box.

Using a client certificate

Client certificate authentication allows users to present client certificates rather than entering a user name and password for site authentication. You can enable the use of a certificate and then import the certificate to the scan settings.

Note: Client certificates do not apply to OData or Swagger definition types.

To use a client certificate:

Select Client Certificate.
Click .

A standard Windows file selection dialog box opens.
Locate and select the certificate file, and then click Open.

The certificate file is added to the Client Certificate box.
Enter the password in the Client Certificate Password box.

Updating certificates in composite scan settings

The composite scan settings include a BIN file that contains encrypted certificate data. If you need to replace or update the client certificate in your composite scan settings, you can place the updated PFX or P12 file inside the certificates directory in the composite settings ZIP file. When OpenText DAST opens the settings, it will check for PFX and P12 files first. If none are present, then the BIN file will be decrypted and used. For more information about composite settings, see Application settings: General.

To replace or update the client certificate:

Locate the encrypted BIN file in the certificates directory in your composite scan settings ZIP. The file name is a GUID, similar to the following:

<your-scansettings.zip>\certificates\0b627638-efda-4d01-a83e-80ee3a79b4cf.bin

Note: The default settings file location in Windows is C:\ProgramData\HP\HP WebInspect\Settings\.
Place the updated PFX or P12 file into the same directory.
Rename the PFX or P12 file the same name as the BIN file. Using the previous example, the file name will be as follows:

0b627638-efda-4d01-a83e-80ee3a79b4cf.pfx

— OR —

0b627638-efda-4d01-a83e-80ee3a79b4cf.p12

Important! Be sure to retain the original file extension.
Optionally, if you want to retain an encrypted certificate in the settings, save the settings again and the BIN file will reflect the updated PFX or P12 certificate. The PFX or P12 certificates will be removed from the ZIP.

Tip: PFX and P12 certificates frequently require a password. Use one of the following options to provide the password for the settings:

Set an empty password when you create the PFX or P12 certificate and place it in the settings ZIP file.
Keep the password for the PFX or P12 certificate and edit the settings.json file to place the password as the value for the CertificatePin as follows:

"CertificatePin": "<password>"

Using custom headers

If additional or different headers are required for authentication purposes, then you must add the information as a Custom Header.

You can configure multiple custom headers.

Important! You cannot configure more than one custom header using the same HTTP header name.

To add a custom header:

Select Custom Headers.
Click Add....
In the Name box, type the custom HTTP header name. For example, X-MyCustomAuth.

Important! The header must be unique and cannot be Authorization.
In the Scheme box, type the header value prefix name. For example, CustomToken.
In the Parameter box, type the custom header value.
Click OK.

The custom header is added to the list.

To edit a custom header:

In the Custom Headers list, select the custom header you want to edit.
Click Edit....
Follow steps 3 through 6 of the procedure To add a custom header:.

To remove a custom header:

In the Custom Headers list, select the custom header you want to remove.
Click Remove.

Configuring SOAP authentication

You can configure message-based authentication for SOAP scans.

To configure SOAP authentication settings:

Select SOAP Authentication.
Select that authentication method to use from the SOAP Method list. Options are Username Token and Certificate Pair.

Continue according to the following table.

For this SOAP method...	Do this...
Username Token	In the Username box, type the user name whose credentials are used to access the SOAP service. In the Password box, type the password for the user name. In the Username Token Type list, select the type of token. Options are Text and Hash. In the Timestamp list, select an option for when the Username Token was created and when it expires. Options are Created, Full, and None. If nonce is enabled for the token, select Include nonce. Important! Nonce is required for hash tokens because it helps the server to recalculate the hash and compare it to the data the client sent.
Certificate Pair	Click to the right of the Client Certificate box. A standard Windows file selection dialog box opens. Locate and select the certificate file, and then click Open. The certificate file is added to the Client Certificate box. In the Client Certificate Password box, type the password. Click to the right of the Server Certificate box. A standard Windows file selection dialog box opens. Locate and select the certificate file, and then click Open. The certificate file is added to the Server Certificate box. In the Server Certificate Password box, type the password.

For this SOAP method...

Do this...

Username Token

In the Username box, type the user name whose credentials are used to access the SOAP service.
In the Password box, type the password for the user name.
In the Username Token Type list, select the type of token. Options are Text and Hash.
In the Timestamp list, select an option for when the Username Token was created and when it expires. Options are Created, Full, and None.
If nonce is enabled for the token, select Include nonce.

Important! Nonce is required for hash tokens because it helps the server to recalculate the hash and compare it to the data the client sent.

Certificate Pair

Click to the right of the Client Certificate box.

A standard Windows file selection dialog box opens.
Locate and select the certificate file, and then click Open.

The certificate file is added to the Client Certificate box.
In the Client Certificate Password box, type the password.
Click to the right of the Server Certificate box.

A standard Windows file selection dialog box opens.
Locate and select the certificate file, and then click Open.

The certificate file is added to the Server Certificate box.
In the Server Certificate Password box, type the password.

Optionally, to identify the Web Services Addressing (WS-Addressing) schema version used by the SOAP service, select WS Addressing and continue as follows:
1. In the Schema Version list, select the version. Options are NONE, WSA0408, and WSA0508.
2. In the WSA: To box, enter the URL override for the web service host.
  
  Note: SOAP services may be exposed by way of a load balancer or reverse proxy. This configuration may prevent the sensor from getting the correct information for the internal web service host name. The "WSA: To" URL override provides the correct address into WS Addressing.
  
  The URL override uses the following format:
  
  https://<host_name><service_path>/<port_name>

What's next?

Do one of the following:

If you are configuring a legacy web services scan using a Web Service Definition Language (WSDL) file or an existing Web Service Test Design (WSD) file, click Next and proceed with Configuring scan details for API and web service scans.
For all other API scans, click Next and proceed with Configuring API content and filters.