Skip to main content

Invicti IAST for Java - Tomcat

[Invicti IAST Network Prerequisites]

Invicti IAST makes use of the IAST Bridge. The IAST sensor must be able to communicate with iast.invicti.com to transmit data to the DAST scanning engine.

  • Invicti IAST for Java requires Tomcat (8.5+) and Java (8+).
  • The Invicti IAST needs to be deployed to your web application.

This document explains how to deploy the Invicti IAST agent for Java to your web server that uses Tomcat on Windows or Linux.

warning

The following installation instructions are for the newer version of the Invicti Java IAST sensor. If you are running the older, aspectjweaver-based Java sensor, you must remove the old sensor before installing the newer version. Instructions on how to determine if you are using the older version of the Invicti Java IAST sensor and how to remove it can be found at the end of this document.

How to deploy Invicti IAST into your web server

To install the Invicti Java IAST sensor, you need to:

  1. Download the Invicti Java IAST agent (iastsensor.jar) from the Target’s settings in Invicti Platform. For more information, refer to the Introduction to Invicti IAST document.
info

Invicti IAST for Java download includes Invicti IAST Token which, by default, is unique for each target. Unless the Token has been changed to be the same for all the targets, you need to download the Invicti Java IAST sensor for each Target separately. You need to adjust your Invicti IAST password to use a single Invicti IAST agent for the entire web server.

  1. Save the downloaded Invicti Java IAST sensor to a location on your web server, for example, C:\JAVA_iastsensor or /usr/share/JAVA_iastsensor.
  2. Tomcat needs to be configured to load the Invicti Java IAST sensor.

This can be done from the Apache Tomcat Configuration > Java > Java Options. Add 2 parameters into the Java Options section:

  • -javaagent:C:\JAVA_iastsensor\iastsensor.jar (mandatory; adjust the path depending on where you saved the iastsensor.jar file)
  • -Diastsensor.debug.log=ON (optional; enables debug logging and should only be used for troubleshooting)
Tomcat Java properties
  1. Restart the Tomcat service.
tip

The parameter -Diastsensor.debug.log=ON is optional, and can be omitted. If this parameter is retained, this outputs Invicti IAST logging as additional lines in the Tomcat logs starting with [Invicti-debug].

How to turn off and remove Invicti IAST for Java

To remove and turn off the sensor from your website, you need to revert the changes made during the deployment of the sensor:

  1. Stop the Tomcat service.
  2. Remove the Invicti Java IAST sensor (iastsensor.jar) from the folder where it was saved.
  3. Reconfigure Tomcat so that it does not load the javaagent by removing the -javaagent and -Diastsensor.debug.log parameters.
    • On Windows, this can be done from the Apache Tomcat Configuration > Java > Java Options section.
    • On Linux, this can be done from /usr/share/tomcat9/bin/setenv.sh by removing the line JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/share/java/iastsensor.jar -Diastsensor.debug.log=ON"
  4. Restart the Tomcat service.
warning

Although the Invicti IAST agent is secured with a strong password, it's recommended that the Invicti IAST client files be uninstalled and removed from the web application if they're no longer in use.

How to turn off and remove older versions of Invicti IAST for Java

Older versions of Invicti IAST for Java made use of aspectjweaver to provide the IAST feature. You can confirm if you are using the aspectjweaver-based Java sensor from the Apache Tomcat Configuration > Java > Java Options section. If the -javaagent option is loading aspectjweaver.jar, then you need to remove the older Invicti IAST for Java using the following instructions:

  1. Remove Invicti Java IAST sensor (iastsensor.jar) from the folder or folders where it was deployed.
  2. Remove aspectjweaver.jar from the folder where it was copied to.
  3. Reconfigure Tomcat with Load Time Weaving turned off, as follows:
    • Remove the -javaagent and -Diastsensor.debug.log parameters in the Apache Tomcat Configuration > Java > Java Options section.
    • Restart the Tomcat service.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?