In the ARMS console, you can add an application to Application Security. Then, the application can use the application security feature without modifying any application code after you restart the instances for the application.

Prerequisites

  • Only Java applications can be added to the application security feature. Java applications must be added to the application monitoring feature before they can use the feature. For more information, see Overview.
  • The application monitoring feature requires the following Java agent versions:
    • In automatic upgrade scenarios, container applications and EDAS applications must use Java agents of v2.7.1.2 or later.
      Note Automatic upgrade scenarios refer to the scenarios where you can automatically upgrade agent versions by restarting applications or pods. For more information, see Update the ARMS agent for Java applications.
    • For manual upgrade scenarios, Java agents must be v2.7.1.3 or later.

    Log on to the ARMS console. In the left-side navigation pane, choose Application Monitoring > Agent List. View the versions of the agents that have applications connected. For information about how to upgrade agent versions, see Update the ARMS agent for Java applications.

Authorization

Before you add an application to Application Security, you must authorize ARMS to access Alibaba Cloud Security. Then, ARMS gains limited access to relevant resources that the application security feature depends on.

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Application Security > Application List.
  3. In the Application Security section, click Access Application Security.
  4. In the message that appears, click OK.
    After the authorization, ARMS automatically creates the AliyunServiceRoleForARMSSecurity service-linked role for the application security feature. After the authorization is successful, you can view the application list and connect to the target application. For more information about the AliyunServiceRoleForARMSSecurity service-linked role, see Application security service-linked role.
    Note If you are prompted that you do not have the permissions to create the service-linked role, contact the owner of the Alibaba Cloud account to add the specified policy for the current RAM user. For more information, see FAQ.

Add an application

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Application Security > Application List. In the top navigation bar, select a region.
    The Applications page lists all Java applications that can be added to the application security feature.
    Note Before you add an application, make sure that the agent of the application is v2.7.1.3 or later.
  3. Add the application.
    • Add an application: Click Add in the Actions column corresponding to the application. In the message that appears, click OK.
    • Batch add applications:
      1. On the Applications page, click Add Application in the upper-left corner.
      2. In the Add Application dialog box, select the applications that you want to connect from the Not Added list, click the > icon to move the selected applications to the Added list, and then click OK.
  4. Restart the instances for the application locally to make the operation take effect.

    On the Applications page, check the connection status of the application in the Status column, which is Added. After all instances are restarted, the application security feature takes effect on all instances for the application. If only some instances are restarted, the application security feature takes effect only on the instances that are restarted.

    If the Status column of an application is Added, Instances Added field displays the numbers of connected instances and all instances for the application. You can click the numbers to view connection status of the instances.

    Connect an application to the application security feature

Set prevention mode

After you connect an application to the application security feature, you can set the prevention mode of the application. The following prevention modes are available: Monitor, Monitor and Block, and Disable. The default prevention mode is Monitor. After you confirm that the application is normal for a period of time, you can change the prevention mode to Monitor and Block. This ensures that the application can be protected against attacks.

  1. In the left-side navigation pane, choose Application Security > Application List. Find the application and then click Protection Settings in the Actions column.
  2. In the Protection Settings dialog box, set the following parameters and click OK.
    Parameter Description
    Prevention Mode
    • Monitor: only monitors attacks. If alert rules are configured and an attack is detected, an alert is generated. The application is not affected.
    • Monitor and Block: monitors and blocks attacks. If an attack is blocked, the application throws an exception.
    • Disable: disables the application security feature for the current application. No attacks will be detected or blocked.
    Detection Timeout Period The maximum period to detect attacks. Valid values: 5 to 200000. Unit: milliseconds. Default value: 300. If the detection timeout period is reached, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.
    Attack Type The attack type to be detected. We recommend that you use the default value of All. For more information, see Attack types and solutions.
    Note If you want to modify the protection settings of an application, you must remember that the modifications do not take effect immediately, but with a latency of up to 30 seconds.

Disconnect an application

To disconnect an application from the application security feature, choose Application Security > Application List in the left-side navigation pane. On the page that appears, find the application and click Remove in the Actions column. In the message that appears, click OK. You must restart the instances for the application locally to make the operation take effect.

We recommend that you do not disconnect an application from the application security feature only for the sake of application performance. The default prevention mode is Monitor after an application is connected to the application security mode. In this mode, the system only reports attack alerts and does not block attack. The application is not affected. You can change the prevention mode to Disable. Then, all security detection capabilities are disabled. No attack alert is reported even if a security attack occurs.