The application protection feature can monitor processes on which the runtime application self-protection (RASP) agent is installed and prevent malicious behaviors and threats in real time to ensure the continuous and stable running of applications. This topic describes how to add an application to the application protection feature.
Description of the RASP agent
Supported applications
The application protection feature detects attacks by using the RASP agent that is installed for applications. The application protection feature protects only Java processes that meet the following conditions. (You can install the RASP agent only on those Java processes.)
Java Development Kit (JDK): The JDK version is JDK 6 or later. JDK 13 and JDK 14 are not supported.
Middleware: The RASP agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.
Operating system: The Linux 64-bit or Windows 64-bit operating systems are used.
Resource usage thresholds
When the resource usage of a server, container, or Java virtual machine (JVM) exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. This limit does not apply to the manual access method. The following list describes the related thresholds:
The CPU usage of a host or a container exceeds 98%, or the remaining memory is less than 200 MB.
The remaining JVM heap memory is less than 150 MB, or the metadata space is less than 5 MB.
Prerequisites
The Security Center agent on your server is online.
To check whether the Security Center agent on your server is online, perform the following steps: Go to the Assets > Host page. Click the Servers tab. Find your server and view the icons in the Agent column. The
icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline. The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.
Step 1: Check which applications can be added to the application protection feature
The application protection feature is available only for Java applications in the Running state. Before you purchase a quota for the application protection feature, you can perform the following operations to view the number and details of qualified applications. An application that can be added is considered a qualified application.
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
In the Protection Statistics section, click Immediate Scan.
After you click Immediate Scan, the Security Center agent collects information about the processes on your assets.
NoteThe Security Center agent can collect the information only once per day in the Basic, Value-added Plan, Anti-virus, or Advanced edition of Security Center.
View the number of application processes on your assets. You can click the number to view the list of application processes. The list provides the server information, process name, process identifier (PID), and startup parameters of each qualified application process.
ImportantWhen an application is added to the application protection feature, the quota for the feature is deducted by one. The number of processes dynamically changes. The number displayed in the scan result is the number of processes that are running during the scan. You can estimate the quota that you need to purchase for the application protection feature based on the number of processes.
Step 2: Purchase a quota for the application protection feature
You can use the application protection feature only if you have a sufficient quota. When you purchase Security Center, select the required edition and the quota for the application protection feature. For more information, see Purchase Security Center.
The quota for the application protection feature that is provided by the free trial of Security Center is 10, and the quota is free of charge. If you have not purchased Security Center, you can apply for a free trial of Security Center. For more information, see Apply for a 7-day free trial of Security Center.
Step 3: Add applications for protection
The application protection feature protects web service processes by application group. Before you can use the application protection feature, you must create an application group, add the application processes that you want to protect to an application group, and configure a unified protection policy for the application group.
Create an application group
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the page that appears, click the Application Configurations tab. Then, click Create Application Group.
In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.
We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete the preceding step, the application group is created.
Use the automatic access or manual access method
Access methods
The application protection feature supports the automatic access and manual access methods. The following table describes the methods.
Method | Description | Scenario |
Automatic access for servers and containers (recommended) | The automatic access method allows you to add servers to add all qualified applications on the servers for protection. After you add a server to the application protection feature, the feature uses JVM Attach capabilities to identify and add the qualified Java processes that are listening on ports on the server or a container. This way, the applications are protected. If you use the automatic access method, the system dynamically loads and unloads the application protection capabilities when the applications are running. This ensures business continuity without the need to restart the processes. | If a server is not added to an application group by using the automatic access method, you can use the automatic access method to add the server. Note If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can disable the application protection feature for the server, remove the server from the current application group, and then use the automatic access method to add the server to the new application group. |
Manual access for servers | The manual access method allows you to add a single application for protection. You must manually add an application to the application protection feature and restart the application. |
|
Manual access for containers |
Automatic access
The first time you add applications to the application protection feature, we recommend that you perform the operation during off-peak hours.
A server can be automatically added to only one application group. If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.
You can use the automatic access method for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.
The automatic access method is supported for Java processes that are listening on ports. If the Java processes are not listening on ports, you must use the manual access method.
On the Automatic Access tab of the Automatic/Manual Access page, click Select Asset for Application Protection.
In the Select Asset dialog box, select the assets that you want to add and click OK.
After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 100 servers at a time.
NoteAfter you select a server, the OK button changes to Synchronizing, which indicates that Security Center is loading the server to the list of selected servers.
Perform the following operations based on the number of servers that you want to add:
If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.
If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.
You can select up to 100 servers at a time.
After you turn on the switch in the Application Protection column for a server or select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to application protection. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time.
After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column
Not Added: The application protection feature is disabled for the server.
Failed: All processes on the server failed to be added to the application protection feature.
Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.
All Added: All qualified processes on the server are added to the application protection feature or no qualified processes exist on the server.
NoteWhen All Added is displayed in the Protection Status column and no qualified processes exist on the server or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty. Subsequently, if a qualified process runs on the server, the process is automatically added.
You can click Details in the Actions column to view the status of the added Java processes.
Manual access for servers
On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Host Access Guide tab to install the RASP agent and then restart your applications. Click Next.
Before you restart your applications, you must complete related deployment based on the runtime environment of the applications. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {appId} with the application ID that is displayed on the Host Access Guide tab when you configure the parameters. The following figure shows the position of an application ID. 
Runtime environment | Parameter description |
Tomcat on Linux | Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file: If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory. |
Tomcat on Windows | Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file: If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory. |
Jetty | Add the following configurations to the {JETTY_HOME}/start.ini configuration file: |
Spring Boot | Add the -javaagent parameter to the startup command for the Spring Boot process. For example, the following command is the original startup command of the Spring Boot process: Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command: Important Make sure that the -javaagent parameter is placed before the -jar parameter. |
JBoss or WildFly |
|
Liberty | Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file: |
Resin |
|
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
Manual access for containers
On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Add Container tab to install the RASP agent and then restart your applications. Click Next.
Before you restart a container, you must complete related deployment based on the runtime environment of the container. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab when you configure the parameters.
Runtime environment | Parameter description |
SpringBoot | To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications. Startup command before the change: Startup command after the change: |
Tomcat |
For example, the original startup command of a container is |
Weblogic |
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
Configure a protection policy
In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.
The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Add alerts to a whitelist.
Parameter | Description |
Application Group Name | The name of the application group. You cannot change the name in this step. |
Protection Mode | The protection mode of the application group. Valid values:
|
Protection Policy Group | The default protection policy group is Normal Running Group. You can select a different protection policy group from the drop-down list. For more information about protection policy groups, see Step 5: Manage protection policy groups. |
Check Type | The check types supported by the selected protection policy group. |
Weakness Detection | Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses. |
In-memory Webshell Detection | Specifies whether to enable the in-memory webshell detection feature for the current application group. For more information, see Use the in-memory webshell prevention feature. |
Detection Timeout Period | The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value. |
Method to Obtain Source IP Address |
|
Step 4: Check whether the application is added to the application protection feature
If the PID of an application process is displayed in the authorized instance list of the application group, the application is added to the application protection group. To view the protected applications, perform the following steps:
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.
In the panel that appears, view the applications that are added to the application protection feature.
If the PID of the application process that you want to protect is displayed in the application list, the application is protected.
Step 5: Manage protection policy groups
To meet the security requirements in different business scenarios, the application protection feature manages the attack detection policies in the following pre-defined protection policy groups at different levels: Business First Group, Normal Running Group, and Protection First Group.
The detection modes of all policies in the pre-defined protection policy groups are the same. For example, the detection mode of all policies in Business First Group is loose. You can use the pre-defined protection policy groups or create a protection policy group based on your business requirements.
Detection mode description
To balance the false positive rate and security protection effectiveness in different business scenarios, the application protection feature provides the following detection modes: loose, standard, and strict. The loose, standard, and strict modes are listed in ascending order based on the false positive rate and security protection effectiveness.
Loose: Security Center detects only threats of known attack characteristics with a low false positive rate.
Standard: Security Center detects threats of common attack characteristics and provides generalization reasoning capabilities. This is the default mode and is suitable for routine O&M.
Strict: Security Center identifies more attacks that are difficult to detect. False positives may be generated.
Create a protection policy group
On the Application Configurations tab of the Application Protection page, click Protection Policy Group Management.
Click Create Protection Policy Group.
In the Create Protection Policy Group panel, enter a name and description for the protection policy group and click Select to the right of Check Type.
In the Select Threat Type panel, select the type of the threat that you want to detect, configure the Detection Mode parameter, and then click OK.
For example, if a large number of false positives for SQL injections are generated in existing alerts, you can change the detection mode for SQL injections to Loose.
Click OK.
What to do next
Manage the quota for the application protection feature
View the remaining quota for the application protection feature
When an application instance is protected, the quota for the application protection feature is deducted by one. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for the application protection feature, you can view the remaining quota on the Application Configurations tab of the Application Protection page.
If the remaining quota is insufficient or exhausted, take note of the following items:
If the automatic access method is used, servers cannot be automatically added to the application protection feature.
NoteIf the quota for the application protection feature is exhausted when the automatic access method is used to add applications, the applications can be added but the status of the excess application instances is unauthorized.
If the quota for the application protection feature is exhausted, you can manually add applications to the application protection feature but the status of the application instances is unauthorized. The unauthorized application instances are not protected.
If the quota for the application protection feature is insufficient, we recommend that you follow the instructions in this topic to increase the quota.
Increase the quota for the application protection feature
If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, perform the following steps: Go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.
Modify the protection policies of an application group
To modify the protection policies of an application group, perform the following steps:
On the Application Configurations tab of the Application Protection page, find the application group whose protection policies you want to modify and click Protection Policy in the Actions column.
In the Protection Policy panel, select a protection policy group from the Protection Policy Group drop-down list.
Parameter
Description
Protection Policy
Application Group Name
The application group name. You cannot modify the name.
Protection Mode
The protection mode of the application group. Valid values:
Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor.
Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block.
Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.
Protection Policy Group
The protection policy group that you want to use. You can select a protection policy group from the drop-down list. For more information about protection policy groups, see Step 5: Manage protection policy groups.
Check Type
The check types supported by the selected protection policy group.
Detection Policy
Weakness Detection
Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses.
In-memory Webshell Detection
Specifies whether to enable the in-memory webshell detection feature for the current application group. For more information, see Use the in-memory webshell prevention feature.
Common Settings
Detection Timeout Period
The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.
Method to Obtain Source IP Address
The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For.
If you select Enter Custom Header, the system preferentially obtains source IP addresses based on the values of custom headers. If the system cannot obtain source IP addresses based on the values of custom headers, the value Default takes effect.
Click OK.
Disable the application protection feature
Disable the application protection feature for an application
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.
Automatic Access: On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.
ImportantIf you no longer need to protect a server, you can remove the server after you turn off the switch in the Application Protection column.
On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.
Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.
Disable the application protection feature for an application group
To disable the application protection feature for all applications in an application group, you can perform the following steps: On the Application Configurations tab of the Application Protection page, find the application group that you want to manage, click Protection Policy in the Actions column, change the value of the Protection Mode parameter to Disable, and click OK.
Delete an application group
After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.
Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.
On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
View the version of the RASP agent
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Added Instance column. If the 
icon is displayed to the right of the RASP Version column of an application instance, a new version of the RASP agent is available. We recommend that you restart the application to automatically upgrade the RASP agent. 
The following list describes the status of an application instance:
Online and authorized: The application instance is protected by the application protection feature.
Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for the application protection feature is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.
Offline: The application instance is not added to the application protection feature.