Deploying the Acunetix 360 AcuSensor agent for Java - Tomcat (Windows/Linux/Docker)
AcuSensor Network Prerequisites |
- Acunetix 360 Java AcuSensor requires Tomcat (8.5+) and Java (8+).
- The AcuSensor agent will need to be deployed to your web application. This guide shows you how to deploy AcuSensor to a Java web application.
IMPORTANT: The following installation instructions are for the newer version of the JAVA IAST sensor. If you are running the older, aspectjweaver-based JAVA sensor, you need to remove the old sensor before proceeding with installing the newer version of the JAVA sensor. Instructions on how to check if you are using the older version of the JAVA sensor and how to remove it can be found at the end of this document. |
How to deploy AcuSensor into your web server
To install the Java AcuSensor, you need to:
- Download the Java AcuSensor agent (AcuSensor (IAST and SCA).jar) from the Acunetix 360 UI. The Java AcuSensor download file includes the AcuSensor Token which, by default, is unique for each target website URL. Unless the Token has been changed to be the same for all the targets, you will need to download the Java AcuSensor agent for each target website separately. You will need to adjust your AcuSensor password to use a single AcuSensor agent for the entire web server.
- Save the downloaded Java AcuSensor agent to a location on your web server (e.g. C:\JAVA_AcuSensor or /usr/share/JAVA_AcuSensor).
- Tomcat needs to be configured to load the Java AcuSensor.
- On Windows, this can be done from the Apache Tomcat Configurations > Java tab > Java Options. Add 2 parameters into the Apache Tomcat Configuration > Java Options section:
- -javaagent:C:\JAVA_AcuSensor\acusensor (IAST and SCA).jar (mandatory; adjust the path depending on where you saved the AcuSensor (IAST and SCA).jar file)
- -Dacusensor.debug.log=ON (optional; enables debug logging and should only be used for troubleshooting)
- On Linux, this can be done from /usr/share/tomcat9/bin/setenv.sh in the JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/share/java/acusensor.jar -Dacusensor.debug.log=ON"
- Restart the Tomcat service.
NOTE: The parameter "-Dacusensor.debug.log=ON" is optional, and can be omitted. If this parameter is retained, this will output AcuSensor logging as additional lines in the Tomcat logs starting with "[Invicti-debug]". |
How to disable and remove AcuSensor for Java
To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent:
- Stop the Tomcat service.
- Remove the Acunetix Java AcuSensor (AcuSensor (IAST and SCA).jar) from the folder where it was saved.
- Reconfigure Tomcat so that it does not load the javaagent by removing the -javaagent and -Dacusensor.debug.log parameters.
- On Windows, this can be done from the Apache Tomcat Configuration > Java tab > Java Options section.
- On Linux, this can be done from /usr/share/tomcat9/bin/setenv.sh by removing the line JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/share/java/AcuSensor (IAST and SCA).jar -Dacusensor.debug.log=ON"
- Restart the Tomcat service.
NOTE: Although the Acunetix AcuSensor agent is secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use. |
How to disable and remove older versions of AcuSensor for Java
Older versions of AcuSensor for Java made use of aspectjweaver to provide the IAST functionality. You can confirm if you are using the aspectjweaver-based Java sensor from the Apache Tomcat Configuration > Java tab > Java Options section. If the -javaagent option is loading aspectjweaver.jar, then you need to remove the older AcuSensor for Java using the following instructions:
- Remove Acunetix Java AcuSensor (AcuSensor (IAST and SCA).jar) from the folder or folders where it was deployed.
- Remove aspectjweaver.jar from the folder where it was copied to.
- Reconfigure Tomcat with Load Time Weaving disabled, as follows:
- Remove the -javaagent and -Dacusensor.debug.log parameters in the Apache Tomcat Configuration > Java tab > Java Options section.
- Restart the Tomcat service.