This
document provides an overview of the changes made to AMP for
the current release. It contains important information not included in the
manuals or in online help.
New Features
Enhancements
Configuration Requirements
Known Problems, Limitations and
Workarounds
Support
Legal Notices
AMP
8.1 has a new model for roles and permissions that is based on organization and
projects. Please see the Quick Start guide or the Help for a detailed
description on how to use the new implementation of this feature.
Vulnerabilities
can now be sent to HP Quality Center directly from the AMP Web Console.
Scans
can now be archived in order to free up space in the database. This archiving
can be set up to occur automatically on a site or it can be done manually on
individual scans. With the exception of enterprise reports, archived
scans cannot be reported on. A scan must be restored before a report can
be generated for it.
From
the Scan Details page, the user can now see a graphic visualization of the
relationships between page connections on the target site. NOTE: This feature
requires the installation of Microsoft Silverlight.
In
AMP 8.1, SmartUpdates containing binary changes must
now be approved by the administrator before they will be made available to
clients through the SmartUpdate service. The administrative approval screen
will show details about the update such as what content is included and any
pre-requisites that are required for the update.
All
Views now ship with default groupings. Should the user edit the groupings on a
page, the defaults can be restored via the Edit Layout dialog. The
defaults are the following:
View
Default Grouping
Discoveries
Project Name
Reports
Status
Scans
Project Name
Scan Schedules
Project Name
Sites
Project Name
Vulnerabilities
Severity
In
AMP 8.1, the start and end time for imported scans are now the actual times
instead of the imported time. This can have an effect on trending reports
and Site risk scores.
Ability
to add an Oracle configured Scan template
When
creating a scan template in AMP 8.1, the user will now have the option to base
the template on settings that have been optimized for Oracle sites.
AMP
8.1 now supports native 64 bit operating systems.
The
AMP 8.1 Web console now has a link to the AMP landing page on the HP Web site.
The following resources can be found on this page:
·
Tutorials
·
SmartUpdate information
·
System requirement
specifications
·
An install for the HP
Security Toolkit
Before
installing AMP version 8.10, make sure that your system meets the following
requirements:
·
Microsoft .NET 3.5 SP1
·
Microsoft Internet
Explorer 7.0 or 8.0, or Firefox 2.x or 3.x
·
An active Internet or
intranet connection
·
2 GB of RAM
·
5 GB (remote database)
or 20 GB of free disk space (local database)
·
2.5 GHz processor or
better
·
Microsoft IIS 6.0 or 7.0
·
Windows Server 2003 SP1
or Windows Server 2008
·
1 GB of memory
·
2 GB of free disk space
·
1.5 GHz processor or
better
·
Windows XP SP2 or
Windows Server 2003 SP1 or Windows Server 2008 or Windows Vista
·
2 GB of memory
·
2 GB of free disk space
·
1.5 GHz processor or
better
·
Windows XP Professional
SP2, Windows Server 2003 Standard SP1, Windows Vista SP1
·
SQL Server 2005 Express
Edition SP1
·
The minimum screen
resolution for WebInspect is 1024 x 768. For best performance,
use a screen display of 1280x1024.
·
2 GB of RAM
·
20 GB of free disk space
·
2 GHz processor or
better
·
Microsoft SQL Server
2005
·
Windows Server 2003 SP1
·
For an AMP environment
to support Internet Protocol version 6 (IPv6), the IPv6 protocol must be
deployed on each AMP Console, AMP Sensor, and the AMP Server.
There
is a known limitation upgrading AMP Sensors that use Windows authentication to
connect to SQL Server. The reason for this behavior is that the user
credentials that the AMP Sensor service runs as are not stored. As a
result, when the sensor service is upgraded, the credentials are lost and the
new version of the sensor can’t authenticate with SQL Server. This only
occurs with AMP sensors version 8.0 and earlier and does not occur if the
sensor is using SQL Express or authenticating to SQL Server via SQL
Authentication. In order to prevent sensors configured in this way from
going offline, we have created the “Sensor Service Run As
Utility”. This utility will securely store the credentials so that
version 8.1 of the AMP Sensor and newer can retrieve and connect to SQL Server
after upgrading. The URL to download the utility along with the
instructions are listed below. Please contact HP
ASC Support if you have any questions.
AMP Database Upgrade Change
The
AMP database upgrade has been modified to reduce the total hard drive space
necessary to perform the upgrade. The upgrade now manages the new
databases transaction log. It first places the new database into Simple
Recovery mode if it was set for Full recovery mode. During the upgrade
process the transaction log is periodically shrunk to reclaim hard drive
space. At the end of a database upgrade the transaction log is shrunk one
final time to 50 megabytes. Finally, if the database was in Full recovery
mode it is set back to Full recovery mode.
This
might be a concern to users who have set up their own database and find that
the transaction log settings have changed. Users should be able to change
the settings back to the settings they like once the upgrade has finished.
When
attempting to SmartUpdate, the following error occurs:
"SmartUpdate
failed: Unable to apply Manager updates: The underlying connection was closed:
An unexpected error occurred on a receive."
This
error occurs because the AMP Manager is running under a different user than the
Web Proxy process. The SSL requests to the SmartUpdate service fail because the
Manager doesn't recognize the Web Proxy root certificate.
Workaround:
Manually move the Web Proxy certificate from the user store to the local
machine store so that it can be found and validated by the AMP Manager. After
the certificate is moved to the machine store, the AMP Manager will be able to
SmartUpdate through Web Proxy successfully regardless of which user is running
the Web Proxy tool.
Multiple
selections across groups do not work properly. Selecting a new group from the
tree will clear the current selection. Multiple selections do work properly
between individual pages when grouped.
The
following are known issues related to scans:
·
E-mail notifications of
an aborted scan are identical to notifications of scans that completed
normally.
·
A sensor that is
currently running a scan will show up as "Available" in the topmost
status area, but will show as “Scanning” under the scanType
section. This is because it is still available for discovery scans.
·
A custom policy cannot
be used to perform a web service assessment of a web site; the web service scan
is tied only to the standard SOAP policy.
The
following are known issues when archiving a scan:
·
If the connection to the
database is lost while AMP is performing an archive on a scan, the archiving
process will not continue once the database connection has been restored and
the scan will remain in the archiving state. To get the archive to
resume, the user must refresh the scan page, causing the archive request to be
resubmitted and processed.
·
The Exclude option from
the maintenance menu item does not get enabled on the scan details page when a
scan is included for auto archive. Once the page has been refreshed, the
option will be enabled.
The
following is a known issue related to roles and
permissions:
·
In order for a user to
be able to view a sensor’s status in the Windows console, the user must have an
AMP system permission to view sensors. This view permission is independent of
the availability of the sensor at the organization or project level.
The
following are known issues related to sites:
·
Scheduled scans added
via the AMP Web Client API are not automatically added to the site catalog. If
an attempt is made to add the site manually, an error "site already
exists" is generated but it will never show up in the drop-down.
·
User input on several
fields on the Site Details -> Properties tab will be truncated if more than
100 characters are entered. No notification is given that the input was
truncated. The truncated fields are as follows: Site Name, Group, Operating
System, Contact Name, and Contact e-mail.
·
Site filters do not
include project or organizations.
The
following are known issues related to reports:
·
In the reports grid, the
Completed Time column displays a UTC timestamp rather than LocalTime
for Alert View, Compliance, and Trend report definitions.
·
In the report designer,
when a report containing tag data is previewed, the scans and data do not
adhere to the tags selected from the tag picker. This is only an issue when
previewing the report. When the report is run, the data is correctly filtered
based on the tags.
·
Master Template is not
synchronized when you upload all definitions from the server using Upload All
(<<) button. The synchronization works when done individually on
the Master Template.
·
While synchronizing
report definitions, occasionally the green arrow sign stays crossed out. (Note:
Only the UI representation is misleading. The report definitions are actually
synched to the server.)
The
following are known issues related to upgrading:
·
The
issue detailed above concerning the loss of credentials and the new version of
the sensor can’t authenticate with SQL Server when the sensor service is
upgraded.
·
Proxy information will
be lost when upgrading AMP 8.0 DB to AMP 8.1 DB.
·
Scheduled Discovery
scans which are disabled in AMP 8.0 will be enabled following the upgrade to
AMP 8.1.
·
Issues occur in Internet
Explorer and Firefox browsers while trying to open reports created in AMP 3.5
and upgraded to AMP 8.0. When attempting to open a pdf
report, the user is prompted to save the report as an aspx
file.The workaround is to manually rename the file to
a pdf file. In Internet Explorer an error is
generated when attempting to open an html report.
·
WebInspect 8.0 requires
the .Net 3.5 SP1 framework. If the sensor does not have this component
installed and AMP pushes the update down, the update will fail. The sensor will
go “offline” and be unresponsive until the required framework is installed.
The
following are known issues related to import/export of sites, scans, and
reports:
·
Exporting/Importing
sites in the CSV format can cause duplicate sites to be listed. This is because
in AMP 8.0 the site URL is no longer unique, which makes it difficult to know
if the user intended to update existing sites or create new ones. Rather than
have the user inadvertently overwrite data, duplicate sites are created.
It is recommended that the XML format be used if the intention is to update
existing sites with new data.
·
Imported scans cannot be
repeated. The menu items for “repeat scan” are enabled for imported scans, so
it would appear that this action is allowed, but you will receive an error if
you attempt to repeat the imported scan.
·
There is a discrepancy
between the limit of scan names when exporting versus importing. AMP will let
you export a scan name with greater than 50 characters, but you will receive an
error if you try to import a scan name of this size.
·
A Discovery Scan with
“Scan always” option does not generate a file when you select the XML export
and give the export a file name.
·
While exporting reports
into the TIFF format, only the title report page is saved into the location
specified.
·
When exporting a site as
XML, an invalid Created Time and Last Updated time are written to the file.
·
You will receive a “501
Unsupported” error when attempting to upload an unnamed scan to AMP when a site
is selected. Scan upload will work if no site is selected. Another workaround
is to name the scan in WebInspect before uploading to AMP.
The
following are known issues related to tags:
·
Tag names cannot begin
with numerals. The tag name can contain numerals as long as it does not begin
with them.
·
Tag names cannot contain
the following special characters: ! @ # $ % ^ & *
( ) - + = [ { ] } \ | ; : ' " < , > . ? /
·
If a user wants to
remove a tag that is displayed in the grid, the data is removed, but the column
remains displayed. If you go to the column configuration dialog, the column is
no longer displayed. If the user clicks cancel, the column will remain. If the
user clicks “OK”, the column will no longer be displayed.
·
When setting up a tag
value for a site filter, the “<” character will cause an error and the
filter will not be saved. This character can be used as a tag value on other
windows.
The
following are known issues related to Send to QC:
·
Send to QC functionality
does not support Firefox version 2.0
·
Sending defects to QC
will fail for user accounts with empty passwords.
The
following are general known issues:
·
Windows 2008 R2 is not
supported by Quality Center 9.2 or 10.0. Consequently, “Send to QC” does
not work on this Windows OS.
·
Improved grid
performance and reliability.
·
The Web Console uses the
regional settings of the AMP Server and not the user's client.
·
Site URLs do not allow
Unicode characters.
·
A misleading error
message, “You do not have permissions to perform the requested operation,"
occurs if you've entered an AMP Manager URL beginning with “http” in the
"Configure AMP Sensor" dialog when the AMP server was configured to
use SSL. If the AMP Manager URL begins with “https”, no error occurs.
·
When the AMP Console
loses its connection to the AMP server and the error message, "Unable to
connect to or lost connection to the AMP Server. Please try again."
appears, the AMP Console cannot be closed by selecting
"File -> Exit" or clicking the 'X' button. The user must go to
task manager to close the console.
·
When DevInspect for
Eclipse connects to AMP, it is possible to obtain multiple connection tokens.
DevInspect for Eclipse does not release its token when it receives SmartUpdates from AMP. The token will eventfully time out
and the entry in the console will go away.
·
DevInspect for Visual
Studio scans will have blank request and response pages in the vulnerability
details page.
·
After performing a SmartUpdate on AMP 8.0, the report log will be
inundated with the following entry:
2009-03-24 11:59:47,217 ERROR [ReportUpdateThread] Plugin Processor: Error in syncPlugins for type [GRAPHICS] Error:
This error occurs because the SmartUpdate code failed to create
the following directory on the system:
\ProgramData\HP\AMP\8.0\AmpReportingService\PluginCache\GRAPHICS\
The workaround is to simply create the directory on the AMP
system. After the directory is created, the error message will cease to be
added to the log.
·
Due to a defect in Microsoft Windows Server 2003, the AMP sensor
(or WebInspect) is unable to read the sensor configuration file. To resolve
this, the configuration files must be renamed for Windows 2003 server as
follows:
§ AMPSensorWI.config (Windows Server 2003 only)
§ AMPSensorWI.exe.config (non-Windows Server 2003)
§ wi.config (Windows Server 2003 only)
§ wi.exe.config (non-Windows Server 2003)
For
AMP support, contact HP's Application Security Center support team through the
HP support portal:
http://support.openview.hp.com/
Or,
for support via telephone (U.S. information below; options may vary by
location):
1.
Dial +1.800.633.3600,
and select option 2 for Software Support.
2.
Enter your Service
Agreement ID (SAID) number.
3.
Select option 1 for enterprise
application software assistance.
4.
Select option 5 for
former SPI Dynamics products.
©Copyright 2004-2010 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid
license from HP required for possession, use or copying. Consistent with FAR
12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S.
Government under vendor's standard commercial license.
The
only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be
liable for technical or editorial errors or omissions contained herein.
The
information contained herein is subject to change without notice.