HP Fortify Software Security Center - Hewlett Packard …community.softwaregrp.com/dcvta86296/attachments/d… · · 2017-12-04HP Fortify Software Security Center Software Version:

HP Fortify Software Security CenterSoftware Version: 4.30

Installation and Configuration Guide

Document Release Date: April 2015Software Release Date: April 2015

Legal Notices

WarrantyThe only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice© Copyright 2015 Hewlett-Packard Development Company, L.P.

Documentation UpdatesThe title page of this document contains the following identifying information:

l Software Version number

l Document Release Date, which changes each time the document is updated

l Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://protect724.hp.com/welcome

You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.

Part Number: 1-151-2015-04-430-02


HP Fortify Software Security Center (4.30) Page 2 of 133


Contents

Preface 8Contacting HP Fortify Support 8For More Information 8About the HP Fortify Software Security Center Documentation Set 8

Change Log 9

Chapter 1: Introduction 11About the Intended Audience 11Related Documents 11

Chapter 2: Providing for Secure Deployment 12About Securing Access to Facilities 12About Securing the Application Server 12About Setting Application Server Attributes to Protect Sensitive Data 12About Using HTTPS and SSL Communications 13About Securing Passwords and User Roles 13About Managing Computer Services and Accounts 13

Chapter 3: Deployment Overview and Task List 14About the Software Security Center Installation Environment 15About Software Security Center Deployment 16About High-Level Deployment Tasks 17

Chapter 4: Preparing for Software Security Center Deployment 19Downloading Software Security Center Files 19Unpacking and Deploying Software Security Center Software 20About JDBC Drivers 21About the Software Security Center Database 21

About Software Security Center Database Character Set Support 22Correcting a Case Insensitive Database Deployment 22Installing and Configuring the Database Server Software 23About Database User Account Privileges 23About Database-Specific Configuration Requirements 24

Configuring an IBM DB2 Database 24Using a Microsoft SQL Server Database 25Configuring a MySQL Database 25Configuring an Oracle Database 26

Preventing java.lang.OutOfMemoryError Errors from Occurring during Report 26



GenerationPreventing the “No more data to read from socket” Error 27

Creating the Software Security Center Database Tables and Initializing the Schema 27Permanently Deleting an Existing Software Security Center Database 28

About LDAP User Authentication 29About Software Security Center User Authentication 29Preparing to Configure LDAP Authentication 30About the LDAP Server Referrals Feature 30Disabling Referrals Support 31

Chapter 5: Configuring Software Security Center with the Configuration Tool 32Starting the Software Security Center Configuration Tool 33Saving the Configuration Tool Settings 34Migrating from a Previous Version of Software Security Center 34Configuring the Core Parameters 35About Setting Up the Database 36

Configuring the Database Connection Parameters 38Testing the JDBC Connection 40About Seeding the Software Security Center Database 41

Seeding a New Software Security Center Database 41Validating the Database (Optional) 42

Moving Software Security Center Property Values from an Imported WAR File into the Database 43

Configuring the LDAP Server Properties 43Configuring the Defect Tracker Plugins 49Completing the Software Security Center Configuration and Deploying the WAR File 50

Chapter 6: Deploying Software Security Center in an Application Server 51About Supported Application Servers and Secure Deployment 51About Configuring pragma no-cache on Application Servers 51About Deploying Software Security Center in Apache Tomcat 52

About Configuring Tomcat Memory Settings 52Configuring Tomcat Memory from the Windows Command Line 53Configuring Tomcat Memory When Tomcat Is Installed as a Service 53Configuring Tomcat Memory on a Linux System 55

About Configuring the Tomcat Connectors 56Deploying Software Security Center in Tomcat 56

About Deploying Software Security Center in IBM WebSphere 56About HP Fortify Web Certificates for WebSphere 57

Exporting the HP Fortify Web Certificate Using Firefox 57Exporting the HP Fortify Web Certificate Using Internet Explorer 57

Adding the HP Fortify Web Certificate to the WebSphere Application Server 58Preparing WebSphere for Software Security Center Deployment 59Deploying Software Security Center in WebSphere 59

About Deploying Software Security Center in WebLogic 60



Deploying Software Security Center in WebLogic 11g 60Deploying Software Security Center in WebLogic 12c 62

About Deploying Software Security Center in JBoss Enterprise Application Platform 63Deploying Software Security Center in JBoss Enterprise Application Platform Version 5.x 63Deploying Software Security Center in JBoss Enterprise Application Platform Version 6.x 64

Chapter 7: Logging On to Software Security Center and Requesting a User Account 65

Logging On to Software Security Center 65Requesting Access to Software Security Center 66

Chapter 8: Completing the Configuration of Software Security Center 67Accessing the Configuration Category on the Software Security Center Administration Page 67About the Options in the Configuration Category 68

Configuring Software Security Center to Work with a Central Authorization Server 69Configuring HP Fortify CloudScan Monitoring in Software Security Center 70Configuring Core Settings 70

About Configuring a Proxy for Rulepack Updates 72Configuring the Software Security Center Settings Used for Sending Email Alert Notifications 73Configuring Java Message Service Settings 74Configuring HP Fortify Runtime Application Protection Communication Settings 75Configuring Job Scheduler Settings 76Configuring Software Security Center to Work with Single Sign-On 77Configuring Web Services to Require Token Authentication 78

Chapter 9: Additional Installation-Related Tasks 79Configuring an Eclipse Plugin Update Site 79About Bug Tracker Integration 80

Integrating with a Bug Tracking System 80Additional Bug Tracker Configuration Information 82Securing Logon Credentials for Bug Tracking Systems 83About Bug Tracker Parameters 83

About HP ALM Parameters 84About Bugzilla Parameters 85About JIRA Parameters 86

Viewing Previously Logged Bugs in the Collaboration Module 86About Changing the Bug-Tracking System for a Project 87

Configuring Single Sign-On for Software Security Center 87About Software Security Center User Administration 89

About Administrator Accounts 89About Security Lead, Manager, and Developer Accounts 90About Creating User Accounts 90

Registering LDAP Entities with Software Security Center 91About Managing LDAP User Roles 91



About Group Membership in Software Security Center 91About Mapping Software Security Center Roles to LDAP Groups 91

Creating Custom Project Attributes 92

Chapter 10: Using the Software Security Center fortifyclient Utility 94About fortifyclient Requirements 94

About Specifying the Software Security Center URL 95About fortifyclient Authentication Tokens 95

Listing fortifyclient Options and Parameters 95About Acquiring an Upload Authentication Token 95

Acquiring an Upload Authentication Token 96Specifying DaysToLive for fortifyclient Authentication Tokens 96

Listing fortifyclient Authentication Tokens 97Invalidating Tokens 97Listing Project Versions 97Purging Project Versions 98About Uploading FPRs 98

Using a Software Security Center Project Identifier to Upload FPR Files 99Using a Software Security Center Project and Project Version to Upload FPR Files 99

About Downloading FPRs 100Downloading an FPR Using a Project Identifier 100Downloading an FPR Using a Software Security Center Project and Project Version 101

Importing Content Bundles 101Downloading Audit Attachment Files 102About Archiving and Restoring Runtime Events 102

About Archived Runtime Events 103Listing Runtime Applications 103Archiving Runtime Events 104About Restored Runtime Events 104Restoring Runtime Events 105Listing Runtime Archives 105Uploading a Source Archive to a Project 106Downloading Runtime Event Archive Files 106

Chapter 11: Upgrading Software Security Center 108Preparing for the Software Security Center Database Upgrade 108

Setting the Innodb Buffer Pool Size when Upgrading the MySQL Server Database 109About Configuring Connectivity to an Upgraded Database 109About Running Software Security Center Database Upgrade Scripts 109

Preparing to Run the Database Upgrade Script 109Generating and Running the Database Migration Script 110

About Reseeding the Upgraded Database 111Reseeding the Upgraded Database 111Troubleshooting an Error Received While Seeding an IBM DB2 Database 112

Updating and Deploying the WAR File 113



Updating Expired Licenses 113Troubleshooting Database Migration Problems 114

Chapter 12: Performing HP Fortify Static Code Analyzer Suite Upgrades from HP Fortify Audit Workbench 115

Enabling HP Fortify SCA Suite Upgrades from HP Fortify Audit Workbench 115

Appendix A: Running the Configuration Tool from the Command Line 117Flags 118

Appendix B: LDAP Properties File Parameters 119

Appendix C: Configuring Software Security Center to Use Multiple LDAP Servers 120

Appendix D: Authoring Software Security Center Bug Tracker Plugins 127Use Case 127Project Setup 128Implementation 128Plugin Methods and Method Calls 129Plugin Helper 131Error Handling 131Almost Stateless 131Debugging Bug-Tracker Plugin 132Deploying a Bug Tracker Plugin 132

Send Documentation Feedback 133



Preface

Contacting HP Fortify Support

If you have questions or comments about using this product, contact HP Fortify Technical Support using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account

https://support.fortify.com

To Email Support

[email protected]

To Call Support

650.735.2215

For More Information

For more information on HP Enterprise Security Software products: http://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center Documentation Set

The HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following HP ESP user community Protect724 website:


You will need to register for an account.

Installation and Configuration GuidePreface


http://support.fortify.com/

mailto:[email protected]

http://www.hpenterprisesecurity.com/


Change Log

The following table lists changes made to this guide.

Software Release-Version Date Change

4.30-02 3/30/15 Corrected: Task 4 now references task 2 as its prerequisite in "About Setting Up the Database" on page 36.

4.30-01 03/06/2015

Reorganized and updated the guide. This reflects the new order in which installation and deployment tasks are completed with the new Software Security Center Configuration Tool and Administration page.

The new Software Security Center Configuration Tool is described in "Configuring Software Security Center with the Configuration Tool" on page 32.

The new Administration page in Software Security Center is described in "Completing the Configuration of Software Security Center" on page 67.

Major changes were made to many topics.

4/10/2015 5:19 PM

Installation and Configuration GuideChange Log


Page 10 of 133HP Fortify Software Security Center (4.30)

Installation and Configuration GuideChange Log

Chapter 1: Introduction

The Software Security Center family of products performs sophisticated analysis of an enterprise’s source code that results in concise summaries of the source code’s security vulnerabilities.

If you are not installing Software Security Center for the first time, see the instructions on how to upgrade from an earlier version in "Upgrading Software Security Center" on page 108.

Topics covered in this section:

• About the Intended Audience 11• Related Documents 11

About the Intended Audience

This guide is written for users who are responsible for deploying and maintaining HP Fortify Software Security Center. It provides all of the information they need to acquire, install, and configure HP Fortify Software Security Center.

This document is intended for users who are moderately knowledgeable about enterprise application development and skilled in enterprise system and database administration. It is written for:

l System and instance administrators l Database administrators (DBAs)

Related Documents

The following documents provide additional information for HP Fortify Software Security Center system and database administrators:

l HP Fortify Software Security Center System Requirements contains information about the hardware and software requirements and recommendations for Software Security Center. You must review this document before you start to deploy your Software Security Center instance.

l HP Fortify Software Security Center Release Notes document provides product information that is not included in the regular documentation set.

l What's New In HP Fortify Software Security Center and HP WebInspect Products contains information about features added to Software Security Center and HP WebInspect since their previous release.

l HP Fortify Software Security Center Process Designer User Guide contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.

l The HP Fortify Software Security Center User Guide provides Software Security Center users with detailed information about how to use Software Security Center.

For information about all of the guides in the Software Security Center documentation suite, see HP Fortify Software Security Center and WebInspect Products Documentation Set.


Chapter 2: Providing for Secure Deployment

Just as you apply security precautions to analyzed source code, you must also secure access to the Software Security Center analysis products that access the source code. Moreover, the concentrated summarization of security vulnerabilities provided by the Software Security Center family of products might mandate an even higher level of secure deployment.

The topics in this section summarize some of the ways to securely deploy Software Security Center:


• About Securing Access to Facilities 12• About Securing the Application Server 12• About Setting Application Server Attributes to Protect Sensitive Data 12• About Using HTTPS and SSL Communications 13• About Securing Passwords and User Roles 13• About Managing Computer Services and Accounts 13

About Securing Access to Facilities

Software Security Center stores and renders the source code of programs it has analyzed and any issues discovered in those programs as HTML. Because program source code and any detected vulnerabilities it contains offer various opportunities for mishandling or abuse, HP recommends that administrators deploy Software Security Center in a secure operations facility. You must also secure the underlying Software Security Center file system and restrict access to the Software Security Center installation directory.

About Securing the Application Server

You must ensure the operational security of the application server running Software Security Center. At a minimum, configure the application server to use HTTPS in conjunction with an SSL certificate issued by a trusted certificate authority. Also, take any additional steps necessary to secure the application server in your operating environment.

About Setting Application Server Attributes to Protect Sensitive Data

Some application server settings might make the sensitive information in some cookies vulnerable to unnecessary disclosure.

To protect sensitive data, HP recommends that you add the following attributes (flags) for cookies on the application server:


l Secure: The Secure attribute prevents the cookie from being transmitted on requests that are not protected with SSL or TLS. Use this option to prevent cookies that could disclose sensitive information (for example, session identifiers) from leaking information over insecure channels (such as HTTP).

l HttpOnly: The HttpOnly attribute prevents the cookie value from being accessed through client-side scripting routines. HP recommends that you keep this attribute enabled unless the cookie is being read by client-side JavaScript routines.

For information about how to set the Secure and HttpOnly attributes, see the documentation for your application server version.

About Using HTTPS and SSL Communications

HP strongly recommends that you configure HP Fortify Software Security Center and HP Fortify client products to use HTTPS and SSL for all communications.

When using SSL, HP Fortify does not support deploying Software Security Center to a container that uses self-signed certificates.

About Securing Passwords and User Roles

When you have finished deploying Software Security Center and you log on for the first time, HP Fortify recommends that you immediately create a new administrator account and delete the default administrator account. For information about logging on to Software Security Center, see "Logging On to Software Security Center" on page 65.

Software Security Center account security features include:

l The ability for administrators to suspend accounts that have become temporarily inactive l The automatic lock-out of accounts on the basis of failed log-on attemptsFor more information about Software Security Center account management, see the HP Fortify Software Security Center User Guide.

If you are using LDAP to authenticate Software Security Center users, configure your LDAP server to use secure LDAP communications. For more information about configuring Software Security Center to use LDAP authentication, see "About LDAP User Authentication" on page 29.

About Managing Computer Services and Accounts

When you install Software Security Center, configure it as a service running under a least-privileged user account. Also, because Software Security Center temporarily stores files that are uploaded from a user account to the computer’s file system, you should always install and run an updated anti-virus software on the machine on which Software Security Center is running.

Installation and Configuration GuideChapter 2: Providing for Secure Deployment


Chapter 3: Deployment Overview and Task List

HP Fortify Software Security Center provides a centralized management and analysis facility for project data gathered and processed using HP Fortify analysis products and tools (Static Code Analyzer, WebInspect Agent [formerly SecurityScope], HP Fortify Runtime Application Protection, and Audit Workbench) across the complete Secure Development Lifecycle (SDL).

To provide centralized management, Software Security Center interoperates with the following external components:

l Required components l Third-party application server

l Third-party database

l HP Fortify Rulepack server

l Optional components l Third-party LDAP authentication server

l Defect-tracking system

l SMTP email server

l One or more HP Fortify analysis agents and tools


• About the Software Security Center Installation Environment 15• About Software Security Center Deployment 16• About High-Level Deployment Tasks 17


About the Software Security Center Installation Environment

The following figure illustrates the relationship of Software Security Center to the required and optional components listed in "Deployment Overview and Task List" on the previous page.

The following table provides descriptions of the required and optional Software Security Center installation components.

ID Description

S1 Software Security Center

HP Fortify delivers Software Security Center as a Web Archive (WAR) file run by a web application server (A1).

D1 Third-party database required by Software Security Center

Stores user and artifact data.

Before putting Software Security Center into production, you must install a supported third-party database.

A1 Application server

Installation and Configuration GuideChapter 3: Deployment Overview and Task List


ID Description

Software Security Center (S1) is delivered as a Web Archive (WAR) file and run by a web application server.

A2 Optional third-party LDAP authentication server

You can configure Software Security Center to use LDAP authentication.

A3 Optional defect-tracking server

You can configure Software Security Center to enable bug submission to Bugzilla, JIRA, ALM, or a customized bug-tracking system directly from Collaboration Module.

A4 Optional third-party email server

You can configure Software Security Center to use an external SMTP email server to send alerts to project collaborators.

C1 Optional HP Fortify Static Code Analyzer (SCA) analysis agent

SCA scans source code and identifies issues.

C2 Optional analysis agent

HP Fortify Real-Time Analyzer performs analysis of instrumented code running in a production environment.

C3 HP Fortify Audit Workbench source code auditing tool

Although it is technically optional, most Software Security Center installations use Audit Workbench (AWB) to audit issues and categorize vulnerabilities.

F1 HP Fortify download server

Used to acquire installation programs.

F2 HP Fortify Security Content update server hosted by HP Fortify

Used to acquire and update Security Content.

Software Security Center installation requires not only the configuration of Software Security Center to interoperate with the external components shown in the previous figure, but also the configuration of the external components to interoperate with Software Security Center.

About Software Security Center Deployment

Software Security Center is packaged as a Web Archive (WAR) file. It runs under a separate third-party application server and requires a supported third-party database.

You use the configuration tool that is included with Software Security Center to complete the preliminary configuration of Software Security Center. This enables Software Security Center to work with required entities such as the third-party database and HP Fortify Runtime Application Protection, as well as with optional entities such as defect- and bug-tracking systems and LDAP authentication servers.



After you have finished the initial Software Security Center configuration, you complete the configuration of the core parameters and configure additional settings on the Administration page of Software Security Center. For instructions, see "Completing the Configuration of Software Security Center" on page 67.

For information about Software Security Center system requirements, see the HP Fortify Software Security Center System Requirements document.

About High-Level Deployment Tasks

The following table lists the high-level tasks you need to perform to prepare for Software Security Center deployment. It also provides links to the topics that describe these tasks.

Note: If you are upgrading Software Security Center, see "Upgrading Software Security Center" on page 108.

Task DescriptionInformation and Instructions

Chapter 4

1 Download the Software Security Center software files and the fortify.license file.

"Downloading Software Security Center Files" on page 19

2 Unpack and deploy the installation bundle. "Unpacking and Deploying Software Security Center Software" on page 20

3 Install and configure the software for the database server you will use for the Software Security Center database.

"About the Software Security Center Database" on page 21.

4 Create the Software Security Center database tables and initialize the database schema.

"Creating the Software Security Center Database Tables and Initializing the Schema" on page 27

5 Perform the tasks that you need to complete before you can configure LDAP authentication.

"About LDAP User Authentication" on page 29

Chapter 5

6 Use the Software Security Center Configuration Tool to configure the Software Security Center properties and perform additional tasks such as setting up and seeding the database, configuring the LDAP server properties, and configuring defect tracker plugins.

"Configuring Software Security Center with the Configuration Tool" on page 32




If you are migrating from a version of Software Security Center older than 4.30, you can import property values using the configuration tool.

Chapter 6

7 Prepare your application server for Software Security Center deployment. Then Deploy Software Security Center in your application server.

"Deploying Software Security Center in an Application Server" on page 51

Chapter 7

8 Log on to Software Security Center "Logging On to Software Security Center and Requesting a User Account" on page 65

Chapter 8

9 Complete the configuration of the Software Security Center settings on the Administration page. (For the list of the options you configure on the Administration page, see "About the Options in the Configuration Category" on page 68.)

"Completing the Configuration of Software Security Center" on page 67

Chapter 9

10 Perform additional tasks such as configuring an Eclipse plugin update site, setting up bug tracker integration, configuring single sign-on, administering users, registering LDAP entities, managing LDAP user roles, and creating custom attributes that users can assign to their projects.

"Additional Installation-Related Tasks" on page 79



Chapter 4: Preparing for Software Security Center Deployment

This section describes what you need to do to prepare to deploy Software Security Center for the first time. Tasks include downloading the HP Fortify license file, installation package, and associated resource bundles that you will use to seed the third-party database. Additional tasks are for unpacking and deploying the Software Security Center software, installing and configuring the database server, creating and initializing the database, and configuring LDAP authentication and LDAP server options. This section also contains information about the JDBC drivers that are required to interface with the database.

If you no longer need the Software Security Center database, you can find instructions in this section for permanently deleting it.

If you intend to use your Software Security Center instance to provide Federation Controller services to one or more instances of HP Fortify Real-Time Analyzer (RTA) running in Federated mode, you must enable Software Security Center to communicate with RTA. You can find instructions for this in "Configuring HP Fortify Runtime Application Protection Communication Settings" on page 75.


• Downloading Software Security Center Files 19• Unpacking and Deploying Software Security Center Software 20• About JDBC Drivers 21• About the Software Security Center Database 21• About LDAP User Authentication 29

Downloading Software Security Center Files

HP Fortify software is available as an electronic download. For descriptions of the available HP Fortify installation packages, see the HP Fortify Software Security Center System Requirements document.

Download the Software Security Center installation files and the fortify.license file following the instructions in the HP Fortify Software Security Center System Requirements document.

Note: You must have a SAID account to download HP Fortify software from the HP Software Support Online site.

See Next

"Unpacking and Deploying Software Security Center Software" on the next page


Unpacking and Deploying Software Security Center Software

To unpack and deploy the Software Security Center installation files:

1. Extract the contents of the installation file into a temporary directory in a secure location. (The installation file is the file you downloaded in "Downloading Software Security Center Files" on the previous page.)

2. Locate the HP_Fortify_SSC_4.30_Server_WAR.zip file and extract it into a directory in a secure location. This creates the HP-Fortify-Server-WAR directory that contains the resources and tools you need for tasks such as configuring Software Security Center and migrating projects from previous versions.

Note: The directory into which you extracted the HP_Fortify_SSC_4.30_Server_WAR.zip file is referred to in this document as the <SSC_Deploy> directory.

3. Copy the seed bundle files from the srg_content folder in the temporary directory to the <SSC_Deploy> directory. Do not unzip the seed files.

Note: Although you are not required to copy the resource files to the <SSC_Deploy> directory, the procedures in this document are based on the assumption that you saved the files to that location.

The seed bundles are described in the following table:

File Name Description

HP_Fortify_Process_Seed_Bundle_2015_Q1.zip

The process template seed bundle used to seed your third-party database tables. It provides a default admin user account, a project template, and process template data.

HP_Fortify_Report_Seed_Bundle_2015_Q1.zip

The report seed bundle used to seed the third-party database tables. It provides the default set of Software Security Center reports.

HP_Fortify_PCI_3.0_Basic_Seed_Bundle_2015_Q1.zip

(Optional) The PCI Basic seed bundle adds a Payment Card Industry process template and its associated report to the default set of Software Security Center process templates and reports.

The process templates seed bundle and the reports seed bundle are required for Software Security Center deployment. The PCI Basic seed bundle is optional.

4. Copy the fortify.license file to the <SSC_Deploy> directory. (For information about obtaining the fortify.license file, see the HP Fortify Software Security Center System Requirements document.)

Installation and Configuration GuideChapter 4: Preparing for Software Security Center Deployment


About JDBC Drivers

Licensing prohibits Software Security Center from including the JDBC drivers that are required to interface with the supported third-party databases. You must obtain the JDBC JAR files required to support the type and version of third-party database you plan to use with Software Security Center.

For information about the database driver classes supported by Software Security Center, see the HP Fortify Software Security Center System Requirements document.

About the Software Security Center Database

If you are configuring and deploying a new instance of Software Security Center, you must first install and configure the third-party database server software, and then create and initialize the database as described in the topics in this section.

Important: Software Security Center requires that all database schema collations be case sensitive.

If you are already a Software Security Center user and your database is case insensitive, see "Correcting a Case Insensitive Database Deployment" on the next page.

If you are installing a Microsoft SQL Server or MySQL database, your installation requires special attention. For more information, see "Using a Microsoft SQL Server Database" on page 25 or "Configuring a MySQL Database" on page 25.

Note: DB2 and Oracle databases are always case sensitive.

For important information about database requirements and case sensitivity, and for information about the database types and versions that Software Security Center supports for a production environment, see the HP Fortify Software Security Center System Requirements document.

For a new Software Security Center installation, the Software Security Center installation package includes the scripts that you use to create and initialize the Software Security Center database and tables.

After you create and initialize the Software Security Center database, you use the Software Security Center Configuration Tool to configure connectivity to the database and to seed the database. (See "Configuring Software Security Center with the Configuration Tool" on page 32.)


• About Software Security Center Database Character Set Support 22• Correcting a Case Insensitive Database Deployment 22• Installing and Configuring the Database Server Software 23• About Database User Account Privileges 23• About Database-Specific Configuration Requirements 24• Creating the Software Security Center Database Tables and Initializing the Schema 27• Permanently Deleting an Existing Software Security Center Database 28



About Software Security Center Database Character Set Support

For a list of the supported character sets for each third-party database type that Software Security Center supports, see the HP Fortify Software Security Center System Requirements document.

See Also

"Correcting a Case Insensitive Database Deployment" below

Correcting a Case Insensitive Database Deployment

If the database you are using for Software Security Center is case insensitive, you must change the collation of the problematic columns.

Note: The following example does not convert the entire database to case sensitive collation. It only converts the columns that must be case sensitive to meet our minimum requirements.

For example, if the database collation is latin1_general, do the following:

l For a MySQL database, run the following script:

ALTER TABLE SourceFileMap MODIFY filePath varchar(255) CHARACTER SET latin1 COLLATE latin1_general_cs NOT NULL;

where latin1_general is the collation of the current database. l For a Microsoft SQL Server database, run the following scripts that drop the primary key before the

collation method is changed, and then recreate the primary key after the collation method is changed:

ALTER TABLE dbo.sourcefilemap DROP CONSTRAINT PK119

GO

ALTER TABLE dbo.sourcefilemap ALTER COLUMN filePath varchar(255) COLLATE Latin1_General_CS_AS NOT NULL;

GO

ALTER TABLE dbo.sourcefilemap ADD CONSTRAINT PK119 PRIMARY KEY (Scan_Id, filePath)

GO

where Latin1_General is the collation of the current database.



Installing and Configuring the Database Server Software

Install and configure the database server software following the instructions in the documentation for your database software.

For example, to create a new MySQL database, do the following:

Note: For this example, mysql must be in the PATH environment variable.

1. Log on to the machine hosting the MySQL database server. 2. Enter the following commands in a terminal or command prompt window, replacing <ssc_DB> with

the name you want to call the Software Security Center database:

user> mysql -u <username> -p Enter password: <enter password when prompted> mysql> CREATE DATABASE <ssc_DB>; mysql> exit

For information about supported databases, see the HP Fortify Software Security Center System Requirements document.

About Database User Account Privileges

HP recommends that you create accounts for users who perform the following tasks on the Software Security Center database:

l Performs runtime tasksA user who performs runtime tasks requires privileges to do the following: l Perform SELECT, UPDATE, INSERT, and DELETE operations in all the database tables.

l Execute stored procedures.

l Executes migration scripts

Important: HP strongly recommends that you create a separate user account to be used for executing migration scripts.

A user who executes migration scripts requires privileges to do the following: l Perform SELECT, UPDATE, INSERT, and DELETE operations in all the database tables.

l Execute stored procedures.

l Create, alter, and drop database tables, views, and indexes.

l For Oracle databases, permission to enable sequences.

l Creates and manages the database

Important: HP strongly recommends that you create a separate user account to be used for creating and managing the database.



A user who creates and manages the database requires privileges to do the following: l Perform all the tasks for which the user who executes migration scripts has privileges.

l Create a Software Security Center database in a dedicated instance.

l Back up and then update the existing Software Security Center dedicated database instance.

l Bind a Software Security Center user account to the dedicated database instance.

l Assign a Software Security Center user account the read-write privileges required to create, initialize, and manage the Software Security Center database. At a minimum, this user must have a database account that enables the web application to connect to the database.

About Database-Specific Configuration Requirements

This section describes the configuration requirements for the Software Security Center-supported third-party databases and how to configure the databases to work with Software Security Center.


• Configuring an IBM DB2 Database 24• Using a Microsoft SQL Server Database 25• Configuring a MySQL Database 25• Configuring an Oracle Database 26

Configuring an IBM DB2 Database

If you are using an IBM DB2 as the Software Security Center database, do the following:

l Make sure that buffer pools with a page size of 32K are available for the database tablespaces (including temporary tablespaces).

l Increase the number of secondary log files so that the total number of primary and secondary log files equals 256.

l Change the size of each log file to 4096, and then verify that there is enough disk space for the increased number and size of log files.

l In the DB2 Control Center, (Tools, Configuration Assistant, Configure, DB2 Registry), set the values of the following registry variables to ON: l DB2_EVALUNCOMMITTED

l DB2_SKIPDELETED

l DB2_SKIPINSERTED

HP Fortify does not support internationalization of DB2 databases. For information about DB2 character set support, see "About Software Security Center Database Character Set Support" on page 22.



Using a Microsoft SQL Server Database

If you are using a Microsoft SQL Server as the Software Security Center database, perform the following checks:

l Make sure your SQL Server database schema collation is case sensitive. The default installation of SQL Server is case insensitive.

Caution: Software Security Center requires that all database schema collations be case sensitive. If your installation is case insensitive, Software Security Center does not work correctly.

For additional information, see "Correcting a Case Insensitive Database Deployment" on page 22.

l Before you run the fortify-provided SQL scripts, verify that there are no open connections to the database.

l During SQL script executions, check the client tool to make sure that its ANSI null default option is set to ON. You can do this using either a SET command (set ANSI_NULL_DFLT_ON to ON) or the Query Editor.

l For Windows domain authentication, make sure that you add domain=<Windows_Domain_Name> to the database URL.

Configuring a MySQL Database

If you are using MySQL as the Software Security Center database, you must configure the MySQL options file.

Caution: Software Security Center requires that all database schema collations be case sensitive. If your installation is case insensitive, Software Security Center does not work correctly.

The MySQL database configuration requires special attention to be case sensitive.

For additional information, see "Correcting a Case Insensitive Database Deployment" on page 22.

Note: For information about the supported versions of MySQL, see the HP Fortify Software Security Center System Requirements document.

To configure the MySQL options file:

1. Stop MySQL server. 2. Navigate to the installation directory of your MySQL server. 3. Open the MySQL options file in a text editor.

Tip: To locate the options files and the order in which they are read, run the following command from a terminal: mysql --help.

l On Windows systems, the default options file is my.ini.

Note: The default location for MySQL 5.6 is c:\ProgramData\MySQL\MySQL Server 5.6.



l On Linux systems, the default options file is my.cnf.

4. In both the [mysqld] and [mysqldump] sections, set max_allowed_packet to 1G.If the [mysqldump] section is not there, create it.

5. In the [mysqld] section, configure the following settings. If the setting is not included in the file, add it.

Setting Value

innodb_log_file_size 512MB

query_cache_type Any non-zero value

query_cache_size Between 64MB and 128MB

innodb_buffer_pool_size 512MB (HP recommends 10GB or more)

default-storage-engine INNODB

innodb_file_format Barracuda

This setting is only for MySQL 5.6.

innodb_large_prefix 1

This setting is only for MySQL 5.6.

6. Save the file. 7. Restart the MySQL server.

Configuring an Oracle Database

This section provides information about how to configure an Oracle database to prevent database-related errors.


• Preventing java.lang.OutOfMemoryError Errors from Occurring during Report Generation 26• Preventing the “No more data to read from socket” Error 27

Preventing java.lang.OutOfMemoryError Errors from Occurring during Report Generation

If you use the oracle6 JDBC driver to connect to an Oracle 11g or 12c database, HP recommends that you set the value of the JDBC driver's oracle.jdbc.maxCachedBufferSize property as described in this topic. This change could be critical for the successful generation of several SSC reports since it prevents the Oracle JDBC driver from consuming too much RAM during report generation.



The meaning of the value you set with the oracle.jdbc.maxCachedBufferSize property differs based on the Oracle release:

l If you are using an Oracle 11.1 or older database, the value is the size of the cache buffer in bytes. For example, if you set the value to 102400 (as shown below), the JDBC driver uses a cache buffer of 102.4 kilobytes.

oracle.jdbc.maxCachedBufferSize=102400

l If you are using an Oracle 11.2 or 12c database, the value is log2 of the cache buffer size.

For example, if oracle.jdbc.maxCachedBufferSize=N, the cache buffer size is 2N. If N=18 (as shown below), the buffer size is 218 or approximately 256 kilobytes.

oracle.jdbc.maxCachedBufferSize=18

You set the value for a JDBC driver property in the DB connection properties field in the Software Security Center Configuration Tool. For more information, see "Configuring the Database Connection Parameters" on page 38.

Preventing the “No more data to read from socket” Error

If you use Oracle as the Software Security Center database, you might see an exception of the type “No more data to read from socket.”

One possible solution to this exception is to do the following:

1. Navigate to the $ORACLE_HOME/network/admin/ directory. 2. Open the tnsnames.ora file in a text editor. 3. Set the value of SERVER to DEDICATE. 4. To apply the change, restart the active listener associated with the database.

Creating the Software Security Center Database Tables and Initializing the Schema

The Software Security Center installation directory contains an initialization script for each of the supported third-party database types. You must run the script for your database type to create the database tables and initialize the database schema for Software Security Center.

Warning: If you are upgrading a Software Security Center instance and you want to retain the data in the database, do not run the create-tables.sql script. Doing so will overwrite your existing Software Security Center Server database, resulting in permanent data loss. Instead, upgrade your existing database. For information about how to upgrade your existing database for use with Software Security Center, see "Upgrading Software Security Center" on page 108.

Before you perform the following procedure, review the information contained in the following sections:

l "About Database User Account Privileges" on page 23 l "About Database-Specific Configuration Requirements" on page 24



To run the Software Security Center database table creation and initialization script:

1. Navigate to the <SSC_Deploy>/sql directory. 2. Open the directory for the third-party database you plan to use with Software Security Center:

l db2

l mysql

l Oracle

l sqlserver

3. Copy the create-tables.sql script to the database server or other location from which you will run the script.

4. In the database client program, log onto the database account you created for use with Software Security Center.

5. Review the warning in the introduction to this topic. 6. Create the database tables and initialize the schema by running the following script against your

new Software Security Center database:

create-tables.sql

For example, if this is a MySQL database and the database schema is named ssc_DB, you run the following command, and enter the password when prompted.

user> mysql -u <username> -p ssc_DB < create-tables.sql

See Next

"About LDAP User Authentication" on the next page

Permanently Deleting an Existing Software Security Center Database

To permanently delete a Software Security Center database schema along with all the data in the database, you run the drop-tables.sql script.

Warning: Running the drop-tables.sql script permanently removes the Software Security Center database schema and all the data in the database. Make sure you have backed up any data you want to save before running this script.

To delete the Software Security Center database schema and all the data in the database:

1. Navigate to the <SSC_Deploy>/sql directory, and open the subdirectory for the third-party database you plan to use with Software Security Center: l db2

l mysql



l Oracle

l sqlserver

2. Copy the drop-tables.sql script from the subdirectory that matches your Software Security Center database type to the database server or other location where you will run the script.

3. In the database client program, log onto the database account you created for use with Software Security Center.

4. Review the warning in the introduction to this topic. 5. Remove the Software Security Center database schema and all the data in the database by

running the following script:

drop-tables.sql

About LDAP User Authentication

The topics in this section provide information about user authentication in Software Security Center and configuring LDAP authentication and LDAP server options.

Note: For information about managing LDAP entities and user roles in Software Security Center, see "Registering LDAP Entities with Software Security Center" on page 91 and "About Managing LDAP User Roles" on page 91.


• About Software Security Center User Authentication 29• Preparing to Configure LDAP Authentication 30• About the LDAP Server Referrals Feature 30• Disabling Referrals Support 31

About Software Security Center User Authentication

By default, when a user logs on to Software Security Center or uses an HP Fortify client to upload Fortify project results files (FPRs), Software Security Center uses its database to authenticate the user. Software Security Center then binds the authenticated user to the user's assigned user role (Administrator, Security Lead, Developer, or Auditor).

The default database-only authentication method can be augmented by using LDAP to authenticate users. However, database-only authentication imposes a separate administrative process for creating and managing Software Security Center user accounts and roles. That separate administrative process is why most administrators prefer to augment the Software Security Center default database-only authentication with LDAP. LDAP authentication enables a single administrative process to manage user authentication for multiple network entities, including Software Security Center. You can configure Software Security Center to augment its native database-only user authentication with LDAP user authentication.



Preparing to Configure LDAP Authentication

Before you configure Software Security Center to use LDAP authentication, complete the following tasks:

1. Download the JXplorer LDAP browser. If you are not familiar with the LDAP schema that your LDAP server uses, you can use the third-party tool JXplorer to view and modify LDAP authentication directories. You can download JXplorer for free under a standard OSI-style open source license from http://www.jxplorer.org.

2. Create an LDAP account for Software Security Center to use. If your LDAP server does not permit anonymous binding, create a read-only LDAP account for Software Security Center to use. Software Security Center requires an account with permissions necessary to read user attributes and authenticate users. (Even if your LDAP server supports anonymous binding, you may prefer to create an LDAP read-only account for Software Security Center.)

Note: Never use a user account name to provide Software Security Center access to an LDAP server.

3. Check for conflicts between account names.

If the LDAP directory contains the default Software Security Center default account admin, a conflict occurs that can disable both accounts. If an existing Software Security Center account has the same name as an account defined for the LDAP server, Software Security Center’s account settings and attributes take precedence over those stored on the LDAP server.

4. Gather and record required Information.Review "Configuring the LDAP Server Properties" on page 43 and record any information you need to configure LDAP authentication.

5. HP recommends that you disable the referrals feature. See "About the LDAP Server Referrals Feature" below and "Disabling Referrals Support" on the next page.

You configure the LDAP server options on the LDAP page with the Software Security Center Configuration Tool.

See Also

"Configuring the LDAP Server Properties" on page 43

About the LDAP Server Referrals Feature

Some LDAP servers use a special feature called referrals. A referral is an entity that contains the names and locations of other objects. A referral is used to redirect a client request to another server. It is sent by the server to indicate that the information that the client has requested can be found at another location (or locations), possibly at another server or several servers.

If Software Security Center requests an LDAP object and this object is a referral, Software Security Center must request additional information about the LDAP object from another server, the address of which is returned in the REF object attribute. These additional requests can decrease LDAP



http://www.jxplorer.org/

communication speed. Even if the LDAP server does not use the referrals feature, additional operations that support referrals are performed.

If referrals are not used on your LDAP server, HP recommends that you disable referrals support in the LDAP library. Disabling this option on the Software Security Center side makes the Software Security Center-to-LDAP communication process much faster. For instructions, see "Disabling Referrals Support" below.

Note: For a complete description of referrals, go to http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/overview.html.

Disabling Referrals Support

To disable referrals support:

1. Start the Software Security Center Configuration Tool. For instructions, see "Starting the Software Security Center Configuration Tool" on page 33.

2. At the top of the Welcome page, click LDAP. 3. In the LDAP referrals processing strategy field, select ignore. 4. Save your changes and redeploy the ssc.war file. For instructions, see "Saving the Configuration

Tool Settings" on page 34 and "Completing the Software Security Center Configuration and Deploying the WAR File" on page 50.



http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/overview.html

Chapter 5: Configuring Software Security Center with the Configuration Tool

The Software Security Center Configuration Tool (also known as the configuration tool) is a wizard that enables you to easily set the values of the properties that are stored in the Software Security Center properties file and perform the preliminary tasks you need to complete before you can deploy and start Software Security Center.

Note: You can also configure the configuration tool properties from the command line. For instructions, see "Running the Configuration Tool from the Command Line" on page 117.

After you have finished the initial Software Security Center configuration, you complete the configuration of the core parameters and configure additional settings on the Administration page of Software Security Center. (For information about the Administration page, see "Completing the Configuration of Software Security Center" on page 67.)

If you are not able to complete the configuration, save your changes before closing the configuration tool. For instructions, see "Saving the Configuration Tool Settings" on page 34.

The configuration tool pages are described in the following table:

Page DescriptionInformation and Instructions

Welcome This is the first page of the configuration tool.

If you are migrating from a version of Software Security Center older than 4.30, you can import an existing WAR file from this page.

"Migrating from a Previous Version of Software Security Center" on page 34

Core Use the Core page to select the application server and its JDK version. You also configure the address of the Software Security Center on this page.

"Configuring the Core Parameters" on page 35

Database Setup

Use the Database Setup page to specify the location and credentials of the third-party database and to perform other database-related tasks such as seeding the database with process templates and reports.

"About Setting Up the Database" on page 36

LDAP Use the LDAP page to configure Software Security Center to work with an LDAP authentication server.

"Configuring the LDAP Server Properties" on page 43

Defect Tracker Plugins

Use the Defect Tracker Plugins page to replace a defect or bug tracker plugin or to deploy a defect or bug tracking plugin that you authored for your organization.

"Configuring the Defect Tracker Plugins" on page 49

Finish Use the Finish page to save the WAR file that contains the changes you made using the configuration tool.

"Completing the Software Security Center


Page DescriptionInformation and Instructions

The Finish page also contains information about the path to the Software Security Center Administration page on which you complete the configuration process after you have deployed the WAR file.

Configuration and Deploying the WAR File" on page 50

The buttons that are found on most of the configuration tool pages are described in the following table:

Button Description

Prev Returns you to the previous page of the configuration tool.

Next Moves you to the next page in the configuration tool.

Show Log

Displays the log file that shows warnings and errors related to the configuration process.

Close Closes the configuration tool without saving your changes. (To save your changes, see "Saving the Configuration Tool Settings" on the next page.)

Tip: You can easily move between the configuration tool pages by clicking the links at the top of each page.

See Next

"Starting the Software Security Center Configuration Tool" below

Starting the Software Security Center Configuration Tool

To start the Software Security Center Configuration Tool:

1. Navigate to and open the <SSC_Deploy> directory.

Note: This is the directory into which you extracted HP_Fortify_SSC_4.30_Server_WAR.zip. (See "Unpacking and Deploying Software Security Center Software" on page 20.)

2. Do one of the following: l If your application server is installed on a Windows system, run the ssc-configuration-

wizard.cmd script.

Note: If you do not want the Java console window to display, run the ssc-configuration-wizard-no-console.cmd script.

l If your application server is installed on a Linux system, run the ssc-configuration-wizard script.

The system prompts you to specify the location of the Software Security Center WAR file. 3. Navigate to and select the ssc.war file located in your application server's webapps directory.

Installation and Configuration GuideChapter 5: Configuring Software Security Center with the Configuration Tool


4. Click Open.The system loads the WAR file, and then prompts you to specify the location of the license file for Software Security Center.

5. Navigate to and select the fortify.license file, and click Open.The Welcome page of the Software Security Center Configuration Tool opens.

See Next

Saving the Configuration Tool Settings

Saving the Configuration Tool Settings

If you are not able to complete the Software Security Center Configuration Tool settings, you should save your changes before you exit the tool.

To save your changes:

1. At the top of the Welcome page, click Finish. 2. Click the Save and Finish button. 3. When you are asked to confirm that you want to save your changes, click Yes.

The ssc.war file is saved.

Caution: Do not change the name of the ssc.war file. If the file name is changed, parts of Software Security Center will not work correctly.

The configuration tool closes.The next time you start the configuration tool, the values you saved are displayed.

To deploy the saved war file, see "Completing the Software Security Center Configuration and Deploying the WAR File" on page 50.

See Next

"Migrating from a Previous Version of Software Security Center" below

Migrating from a Previous Version of Software Security Center

If you are migrating from a version of Software Security Center older than 4.30, you can import many of the Software Security Center property values from the older version using the Import War File button on the Welcome page. (The Welcome page is the first page of the Software Security Center Configuration Tool.)

To import property values from an earlier Software Security Center WAR file:

1. Generate and run the database migration script. For instructions, see "About Running Software Security Center Database Upgrade Scripts" on page 109.

2. If the configuration tool is not running, start it. (See "Starting the Software Security Center Configuration Tool" on the previous page.)

3. On the Welcome page, click Import WAR File. 4. Navigate to the WAR file you want to import.



5. Click Open.The configuration tool fields are populated with the property values from the WAR file.

6. Navigate to the Database Setup page.

Caution: Before continuing, make sure both of the following conditions are true:

l You generated and ran the Migration SQL script. (See step 1.)

l You imported the ssc.war file from a version of Software Security Center older than 4.30. (See step 3.)

7. Click the Save Settings in Database button. 8. Navigate to the WAR file that you imported earlier. 9. Click Open.

The Software Security Center property values are added to the database.See Next

"Configuring the Core Parameters" below

Configuring the Core Parameters

You identify the application server, its JDK version, and the address of Software Security Center on the Core page of the Software Security Center Configuration Tool.

Note: You configure additional core settings on the Software Security Center Administration page after you have completed the Configuration Tool tasks and deployed Software Security Center on the application server. For more information, see "Completing the Configuration of Software Security Center" on page 67 and "Deploying Software Security Center in an Application Server" on page 51.

To configure the core parameters:

1. If the configuration tool is not running, start it. (See "Starting the Software Security Center Configuration Tool" on page 33.)

2. At the top of the Welcome page, click Core.



3. Configure the fields on the Core page as described in the following table:

Field Description

Application Server Select the name and release number of the application server to which you will be deploying the WAR file.

Application Server JDK Version

Select a Java Development Kit (JDK) that is compatible with the application server you will use to run Software Security Center.For the list of supported application servers and JDKs, see the HP Fortify Software Security Center System Requirements document.

URL to reach HP Fortify Software Security Center

Enter the URL at which Software Security Center will be installed.

See Next

"About Setting Up the Database" below

About Setting Up the Database

After you create and initialize the Software Security Center database, you configure the connection between Software Security Center and the database and add seed data to the database.

Important: Before you set up the database connection, you must install and create the database and tables and initialize the database schema. For more information, see "About the Software Security Center Database" on page 21.

Set up the database connection as described in the following table:


1 Configure the database connection parameters. "Configuring the Database Connection Parameters" on page 38

2 If this is a new installation of Software Security Center and you have not created the database, create and initialize the database.

"About the Software Security Center Database" on page 21

If this is a new installation of Software Security Center and you have already created and initialized the database, go to task 3.




If you are upgrading an existing database for use with Software Security Center, migrate the database schema to the current release.

Important: If you are upgrading an existing database, you must click the Generate Migration SQL button to generate the SQL file and apply the generated SQL script to the Software Security Center database before you continue with the upgrade. For instructions, see "About Running Software Security Center Database Upgrade Scripts" on page 109.

After you have generated the SQL file and applied the generated SQL script against the Software Security Center database, you can wait until after you have completed configuring all the configuration tool pages and saved the WAR file to finish the upgrade tasks.

"Upgrading Software Security Center" on page 108

3 Test the JDBC connection. "Testing the JDBC Connection" on page 40

4 If this is a new installation of Software Security Center, seed the database.

Caution: Do not seed the database until you have completed all the tasks required to create and initialize the new database (see task 2).

Important: If this is a new Software Security Center database instance, you must seed the database before you start Software Security Center.

"About Seeding the Software Security Center Database" on page 41

If you are upgrading an existing database for use with Software Security Center, reseed the upgraded Software Security Center database.

Caution: Do not reseed the database until you have completed the upgrade tasks (see task 2).

"About Reseeding the Upgraded Database" on page 111

5 (Optional) Validate that the database has been seeded with a process template bundle.

"Validating the Database (Optional)" on page 42

6 (Optional) If you are migrating the database from a version of Software Security Center older than 4.30 and you have imported the earlier version of the WAR file into the Software Security Center database, you can also import the values of some of the Software Security Center properties from the earlier version of the Software Security

"Moving Software Security Center Property Values from an Imported WAR File into the




Center WAR file into the database.

If you choose not to do this now, you can manually enter these values later on the Software Security Center Administration page. (See "Completing the Configuration of Software Security Center" on page 67.)

Database" on page 43

See Next

"Configuring the Database Connection Parameters" below

See Also

"Starting the Software Security Center Configuration Tool" on page 33

"About the Software Security Center Database" on page 21

"Creating the Software Security Center Database Tables and Initializing the Schema" on page 27

Configuring the Database Connection Parameters

You specify the location and credentials of the Software Security Center third-party database on the Database Setup page of the Software Security Center Configuration Tool.

To configure the database connection parameters:


2. At the top of the Welcome page, click Database Setup. 3. If you are configuring Software Security Center for the first time, do the following:

a. Click the Add JDBC Driver button. The Locate JAR file dialog box opens.

b. Navigate to the location of the JDBC driver for your database, and click Open.The Database Driver Class drop-down list is populated.

4. Configure the fields on the Database Setup page as described in the following table:

Field Description

Database Type

Select the type of database you are using.

Database Driver Class

Download the JDBC driver (see "About JDBC Drivers" on page 21): a. From the Database Driver Class drop-down list, select the database driver

class for the JDBC driver that is to be deployed with the Software Security Center WAR file.

Note: The values in this list are based on the JDBC driver you selected in step 3.



Field Description

b. Download the driver in one of the following ways: o Click the link located below the Database Driver Class field to go to the

web site from which you can download the driver. o Open a browser window, go to the web site for the JDBC driver

manufacturer, and download the recommended version of JDBC driver.For information about the database driver classes supported by Software Security Center, see the HP Fortify Software Security Center System Requirements document.

JDBC URL Type the URL for the Software Security Center database. See the example that is shown beneath the JDBC URL field for the format of the URL. The example changes based on the Database Driver Class you select. For information about the syntax to use for the URL, see the documentation for your database.Important: If you are using Microsoft SQL Server and it is configured to use any character encoding other than Unicode, you must also append the following property setting to the end of the URL:

sendStringParametersAsUnicode=false

For example:

jdbc:sqlserver://dbhost:1433;database=ssc; sendStringParametersAsUnicode=false

Important: If you are using an IBM DB2 database, you must include the following property settings in the URL:

progressiveStreaming=2fullyMaterializeInputStreams=trueallowNextOnExhaustedResultSet=1

For example:

jdbc:db2://mydb2database:50000/fortifydb:progressiveStreaming =2;fullyMaterializeInputStreams=true; allowNextOnExhaustedResultSet=1;

Database Username

Type the username for the Software Security Center database. For more information, see About Database User Account Privileges.

Database Password

Type the password for the Software Security Center database.

Maximum idle connections

Type the maximum number of idle connections that can remain in the pool.The default value is 50.



Field Description

Maximum active connections

Type the maximum number of active connections that can remain in the pool.The default value is 100.

Maximum wait (ms)

Type the maximum wait time in milliseconds before the system times out.The default value is 60000.

Database connection properties

You can set a JDBC driver property using this field. To do this, type the JDBC driver property and its new value, for example, <property>=<value>. To enter more than one property and value, separate the entries with a semicolon (;).For the list of allowed property names and their values, refer to the documentation for your JDBC driver. Important: If you use the oracle6 JDBC driver to connect to an Oracle 11g or 12c database, see "Preventing java.lang.OutOfMemoryError Errors from Occurring during Report Generation" on page 26 for important information about this field.

See Next

l If you are installing a new database and have not already created the database, see "About the Software Security Center Database" on page 21.

l If you have already created the database, see Testing the JDBC Connection. l If you are upgrading an existing database, see "Upgrading Software Security Center" on page 108.

Testing the JDBC Connection

After you have configured the database parameters on the Database Setup page, you must test the JDBC connection.

To test the JDBC connection:


2. At the top of the Welcome page, click Database Setup. 3. Click the Test JDBC button.

The JDBC connection test starts. When the test is complete, a message tells you whether the connection was successful.

4. Click OK to close the message.



See Next

l If this is a new installation of Software Security Center, see "About Seeding the Software Security Center Database" below.

l If you are upgrading an existing database, see "About Reseeding the Upgraded Database" on page 111.

About Seeding the Software Security Center Database

When you log on to Software Security Center for the first time, Software Security Center requires a minimum set of data to process your initial logon credentials and to provide basic Software Security Center functionality. Seeding creates the minimum data set for a new database.

Seeding the Software Security Center database is necessary to maintain a consistent post-installation configuration. This includes the creation of the default administrator user account, as well as required entities such as project templates, process templates, report definitions, and other default data required to make Software Security Center operational.

Software Security Center requires two of the seed bundles you downloaded earlier (see "Unpacking and Deploying Software Security Center Software" on page 20):

l The process template seed bundle (HP_Fortify_Process_Seed_Bundle_2015_Q1.zip) provides a default admin user account, as well as project template and process template data.

l The report seed bundle (HP_Fortify_Report_Seed_Bundle_2015_Q1.zip) provides the default set of Software Security Center reports.

You can also install the optional PCI Basic Bundle (HP_Fortify_PCI_3.0_Basic_Seed_Bundle_2015_Q1.zip), which adds a Payment Card Industry process template and an associated report to the default set of Software Security Center process templates and reports.

After you finish seeding the database, you can modify any user-configurable data entities that were created in the seeding process in the Software Security Center user interface. For more information, see "Completing the Configuration of Software Security Center" on page 67.


• Seeding a New Software Security Center Database 41• Validating the Database (Optional) 42

See Next

l If this is a new database, see "Seeding a New Software Security Center Database" below. l If you are upgrading the database, see "About Reseeding the Upgraded Database" on page 111.

Seeding a New Software Security Center Database

The procedure in this section assumes that you have done the following:

1. Created the Software Security Center database (see "Creating the Software Security Center Database Tables and Initializing the Schema" on page 27).

2. Configured and tested the Software Security Center database connection (see "Configuring the Database Connection Parameters" on page 38).

3. Tested the JDBC connection (see "Testing the JDBC Connection" on the previous page).



4. Copied the Process Templates seed bundle file and reports seed bundle file to the HP-Fortify-Server-WAR directory (see "Unpacking and Deploying Software Security Center Software" on page 20).

To seed a new Software Security Center database:


2. At the top of the Welcome page, click Database Setup. 3. Make sure that the database user credentials specified in the Database Username and Database

Password fields are for a user account with the privileges required for executing migration scripts. These privileges are described in "About Database User Account Privileges" on page 23.

4. Seed the Software Security Center database with the default process templates: a. Click Seed Process Templates.

The Locate Process Template configuration file dialog box opens. b. Browse to the process templates seed bundle file (HP_Fortify_Process_Seed_Bundle_

2015_Q1.zip), and then click Open. 5. Seed the Software Security Center database with the default set of reports:

a. Click Seed Reports. The Locate Report configuration file dialog box opens.

b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2015_Q1.zip), and click Open.

6. (Optional) If necessary, seed the Software Security Center database with the PCI Basic Bundle: a. Click Seed Reports.

The Locate Report configuration file dialog box opens. b. Select the PCI seed bundle file (HP_Fortify_PCI_3.0_Basic_Seed_Bundle_2015_Q1.zip),

and click Open.See Next

"Validating the Database (Optional)" below

Validating the Database (Optional)

After you have seeded—or reseeded—the database, you can validate that the database was seeded with the process template bundle. This step is optional.


2. At the top of the Welcome page, click Database Setup. 3. Click Validate Database. 4. After successful validation, click OK to close the message.

See Next

l If you are creating a new database, see "Configuring the LDAP Server Properties" on the next page. l If you are upgrading an existing database, see "Moving Software Security Center Property Values

from an Imported WAR File into the Database" on the next page.



Moving Software Security Center Property Values from an Imported WAR File into the Database

These instructions are optional for users who are migrating from a version of Software Security Center older than 4.30.

After you have finished the tasks required to setup the database connection, you can move the property values stored in the earlier version of the Software Security Center WAR file into the Software Security Center database. If you do not move these values into the database now, you can configure them later by manually entering them in the Configuration category on the Software Security Center Administration page. (See "Completing the Configuration of Software Security Center" on page 67.)

To move the property values from an imported WAR file into the database:


2. At the top of the Welcome page, click Database Setup.

Caution: Continue only if both of the following conditions are true:

l You generated and applied the Migration SQL script. (See "About Running Software Security Center Database Upgrade Scripts" on page 109.)

l You imported the ssc.war file from a version of Software Security Center older than 4.30. (See "Migrating from a Previous Version of Software Security Center" on page 34.)

3. Click Save Settings in Database. 4. Navigate to the WAR file that you imported earlier. 5. Click Open.

The Software Security Center property values are added to the database.To view or edit the property values that you added to the database, see About the Administration Page.

See Next

"Configuring the LDAP Server Properties" below

Configuring the LDAP Server Properties

You configure Software Security Center to work with a single LDAP authentication server on the LDAP page of the Software Security Center Configuration Tool.

Important: Before configuring the properties on the LDAP page, you must prepare for LDAP authentication as described in "About LDAP User Authentication" on page 29.

If you want to use additional LDAP servers, you must configure them manually. For instructions, see "Configuring Software Security Center to Use Multiple LDAP Servers" on page 120.



To configure Software Security Center to work with a single LDAP authentication server:


2. At the top of the Welcome page, click LDAP. 3. Configure the fields on the LDAP page as described in the following table:

Field Description

Enable LDAP Integration

Select this check box to enable the fields required for LDAP integration.This check box is not selected by default.

Cache LDAP User Data

Select this check box to enable LDAP user data caching in Software Security Center.Note: HP recommends that you leave LDAP user caching enabled. Changes to user information made directly in the LDAP server may not be reflected in Software Security Center for up to an hour. However, a slow connection between Software Security Center and the LDAP server or a large LDAP directory with slow searches could degrade Software Security Center performance. Typically, user data are seldom changed directly in the LDAP server.This check box is selected by default.

Enable Nested LDAP Groups

Select this check box to enable nested group support for LDAP in Software Security Center. (In nested LDAP groups, a given member of a group might itself be a group.)Note: Use nested LDAP groups only if you absolutely must. Enabling nested LDAP groups forces Software Security Center to perform extra tree traversals during authentication. HP strongly recommends that you clear this check box if you do not plan to use nested groups.This check box is not selected by default.

Server URL Type the LDAP authentication server URL.If you use unsecured LDAP, enter the URL in the following format:

ldap://<hostname>:<port>

If you use secured LDAPS, enter the URL in the following format:

ldaps://<hostname>:<port>

LDAPS ensures that user credentials are encrypted before they are transmitted.

Bind User DN Type the full distinguished name (DN) of the account Software Security Center uses to connect to the authentication server. Note: If your LDAP server supports anonymous binding, you are not required to specify values for Bind User DN and Bind User Password. Check with your LDAP administrator to find out whether your LDAP server supports anonymous binding.



Field Description

The general format for an account specifier is as follows: cn=<accountName>,ou=users,dc=<domainName>,dc=com

where accountName represents the minimum privilege, read-only authentication server account you created for exclusive use by Software Security Center.

Caution: For security reasons, never use a user’s account name in a production environment.

If you use Active Directory, specify the full username with the domain in the following format:

<Domain_Name>\<Username>

Bind User Password

Type the password for the Bind User DN account.Note: If your LDAP server supports anonymous binding, you are not required to specify values for Bind User DN and Bind User Password. Check with your LDAP administrator to find out whether your LDAP server supports anonymous binding.

Base DN Type the Base Distinguished Name (DN) for LDAP directory structure searches.

For example, the Base DN for companyName.com is dc=companyName,dc=com.All DN values are case sensitive, must not contain extra spaces, and must exactly match LDAP server entries.

Relative Search DNs (1 per line)

(Optional) Type the Relative Distinguished Name (RDN).An RDN defines the starting point from the Base DN for LDAP directory searches. HP recommends searching from the base DN. However, if your LDAP directory is so large that searching for Software Security Center users takes too long, use an RDN to limit the number of LDAP entries searched.

For example: To search within the base DN companyName.com and all entries under that base DN, specify the following:

cn=users

or

cn=users,ou=divisionName

to recursively search all entries under that path.

The remaining attributes on the LDAP page are configured to work with the default configuration of Active Directory because most people appear to use Active Directory. However, if your LDAP server is set up differently, you can change these attribute values.



Field Description

Object class attribute

Type the class of the object.

For example, if this is set to objectClass, Software Security Center looks at the objectClass attribute to determine the entity type to search.The default value is objectClass.

Distinguished name (DN) attribute

Type the value that determines the attribute Software Security Center looks at to find the distinguished name of the entity.

The default value is distinguishedName.

Object SID (objectSid) attribute

Type the name of the attribute that contains the LDAP entity's objectSid (the Object Security Identifier). This attribute is used for searching users by their object security ID.You must set this attribute and the Base security identifier (SID) of LDAP directory objects value if your Software Security Center does all of the following: l Uses Active Directory

l Uses more than one LDAP directory in Software Security Center

l Uses LDAP groups that contain both types of users: Native (users from the same domain) and foreign (users from trusted domain)

The default value is objectSid.

Base security identifier (SID) of LDAP directory objects

The description of this field is valid only when the LDAP is Active Directory.Note: This field might be applicable only for Active Directory LDAP servers.Type (or copy and paste) the base security identifier as described below. This is the value that is used for detecting the correct LDAP server when foreign users are found in LDAP groups that were added in Software Security Center.The objectSID value consists of two parts: l The first part represents the base security identifier. It is the same

for all objects defined in the same directory. The base security identifier is shown in bold text in the following example.

l The second part is the object security identifier (objectSid). It is unique for every single object defined in this directory. In the following example, the objectSid is 1202.

For example:

S-1-5-21-90214465-2227616183-3700750884-1202



Field Description

You must set this value and the Object SID (objectSid) attribute if your Software Security Center does all of the following: l Uses Active Directory

l Uses more than one LDAP directory in Software Security Center

l Uses LDAP groups that contain both types of users: Native (users from the same domain) and foreign (users from a trusted domain).

User class Type the object class that identifies an LDAP object type as a user.

The default value is organizationalPerson.

User username attribute

Type the user object attribute that specifies a username.

The default value is sAMAccountName.

User first name attribute

Type the user object attribute that specifies a user’s first name.

The default value is givenName.

User last name attribute

Type the user object attribute that specifies a user’s last name.

The default value is sn.

User email attribute

Type the user object attribute that specifies a user’s email address.

The default value is mail.

Group class Type the object class that identifies an LDAP object type as a group.

The default value is group.

Group name attribute

Type the group attribute that specifies the group name.

The default value is cn.

Group member attribute

Type the group attribute that defines the members of the group.

The default value is member.

Organizational unit class

Type the object class that defines an LDAP object as an organizational unit.

The default value is container.

Organizational unit name attribute

Type the group attribute that specifies the organizational unit name.

The default value is cn.

LDAP referrals processing strategy

If you have only one LDAP server, HP recommends you select ignore so the LDAP works faster.If you have a multi-domain LDAP configuration and you use LDAP referrals, select follow.

The default value is ignore.



Field Description

Note: If referrals are not used on your LDAP server, see "About the LDAP Server Referrals Feature" on page 30.

Enable paging in LDAP search queries

If the LDAP server supports paging, select this check box to enable paging in LDAP search queries.This check box is not selected by default.

Page size of LDAP search request results

If your LDAP server limits the size of the search results by a certain number of objects and paging is enabled, you should type a value that is less than or equal to your LDAP server's limit.

The default value is 999.

Cache: Initial thread pool size

Type the initial number of available cache update threads. This value is used to configure the thread pool for the task executor, which updates the LDAP cache in several threads simultaneously.


Cache: Max threads per cache

Type the maximum number of threads dedicated for each update process (user action). Each time a user clicks Update, a new update process starts.


Cache: Max thread pool size

Type the maximum number of threads that can be made available if the initial thread pool size is not adequate for the update process.


Cache: Max object lifetime (ms, '-1' to turn off)

If you want objects in the cache to refresh more frequently than the default refresh time (typically 1 hour), type the maximum amount of time (in milliseconds) that an object can be in the cache before it is refreshed with new information from the LDAP server.Type -1 if you want the items in the cache to refresh at the default frequency.


Interval between LDAP server validation attempts

Type the frequency (in milliseconds) that Software Security Center attempts to validate the availability of the LDAP server after an earlier validation failed.


Time to wait LDAP validation, ms

Type the length of time (in milliseconds) that Software Security Center waits for a response after sending a request to the LDAP server to update the cache. If a response is not received at the end of the designated time, the update is not performed. The request is sent again at the frequency determined by the value set for the Interval between LDAP server validation attempts field.The default value is 5000.



4. Test the LDAP connection by clicking Test LDAP. See Next

"Configuring the Defect Tracker Plugins" below

See Also

"About LDAP User Authentication" on page 29

"Registering LDAP Entities with Software Security Center" on page 91

"About Managing LDAP User Roles" on page 91

"Configuring Software Security Center to Use Multiple LDAP Servers" on page 120

Configuring the Defect Tracker Plugins

You use the Defect Tracker Plugins page in the Software Security Center Configuration Tool to deploy a defect-tracking plugin that was authored for your organization. You also use this page to replace an existing plugin. If you are using the HP Application Lifecycle Management (ALM), JIRA, or Bugzilla defect-tracker plugin provided with Software Security Center, you do not need to do anything on this page.

Note: In this guide, the Software Security Center Configuration Tool, and Software Security Center, the terms bug and defect are used interchangeably. Defect is most commonly used in the description of the Defect Tracker Plugins page in the Software Security Center Configuration Tool. In most other locations, the term bug is used.

Note: For information about how to create a defect-tracking plugin, see "Authoring Software Security Center Bug Tracker Plugins" on page 127.

To add or replace a plugin:


2. At the top of the Welcome page, click Defect Tracker Plugins. 3. Click Add/Replace Plugin Jar.

The Locate JAR file dialog box opens. 4. Navigate to and select the JAR file for the defect-tracker plugin you want to add or replace.

The configuration tool checks if the selected file is a valid Software Security Center defect-tracker plugin. l If the selected file is valid:

i. Software Security Center identifies the defect tracker for which this plugin was developed.

ii. The path to the plugin file is added to the Plugin Jars to Add/Replace list.

l If the selected file is not valid, an error message is displayed.

5. Save your changes. For instructions, see "Completing the Software Security Center Configuration and Deploying the WAR File" on the next page.



See Next

"Completing the Software Security Center Configuration and Deploying the WAR File" below

See Also

"About Bug Tracker Integration" on page 80

"Authoring Software Security Center Bug Tracker Plugins" on page 127

Completing the Software Security Center Configuration and Deploying the WAR File

When you have completed configuring all of the pages in the Software Security Center Configuration Tool, you save the WAR file with the settings you configured and deploy it.

To save your settings and deploy the updated WAR file:

1. On the Software Security Center Configuration Tool Finish page, click Save and Finish. 2. When you are asked to confirm that you want to save your changes, click Yes.

The WAR file (typically named ssc.war) is saved and the configuration tool closes. 3. Deploy the saved WAR file to your application server following the instructions for your application

server. (See "Deploying Software Security Center in an Application Server" on page 51.)After you have deployed the WAR file, you must deploy Software Security Center on the application server. For instructions, see "Deploying Software Security Center in an Application Server" on page 51.



Chapter 6: Deploying Software Security Center in an Application Server

The topics in this section provide instructions for preparing an application server for Software Security Center deployment, and then deploying Software Security Center in the application server.


• About Supported Application Servers and Secure Deployment 51• About Configuring pragma no-cache on Application Servers 51• About Deploying Software Security Center in Apache Tomcat 52• About Deploying Software Security Center in IBM WebSphere 56• About Deploying Software Security Center in WebLogic 60• About Deploying Software Security Center in JBoss Enterprise Application Platform 63

After you have deployed Software Security Center in an application server, complete the configuration tasks on the Administration page in Software Security Center. For information and instructions, see "Completing the Configuration of Software Security Center" on page 67.

About Supported Application Servers and Secure Deployment

Before you can successfully run Software Security Center, you must prepare a supported third-party application server for Software Security Center deployment. For information about the supported application servers and versions, see the HP Fortify Software Security Center System Requirements document.

Secure deployment is particularly important for application server configuration, operation, and communications. For information about secure deployment considerations for third-party application servers running Software Security Center, see "About Securing the Application Server" on page 12 and "About Setting Application Server Attributes to Protect Sensitive Data" on page 12.

About Configuring pragma no-cache on Application Servers

Microsoft Internet Explorer does not always handle the pragma no-cache response header correctly. If all of the following conditions are true, then you must configure your application server so that it does not transmit the pragma no-cache metatag:

l You support users who use Microsoft Internet Explorer to access Software Security Center. l Your application server is configured to use SSL to communicate with Software Security Center. l Your application server adds the pragma no-cache metatag to the header of an HTML page.


Configuring pragma no-cache for Apache Tomcat

If you use Apache Tomcat to run Software Security Center, go to the following web page for information on how to configure the pragma no-cache settings for your server:

http://www.mail-archive.com/[email protected]/msg151294.html

Configuring pragma no-cache on Servers Other than Apache Tomcat

The location of the configuration file that contains the pragma no-cache setting varies depending on the type of supported application server you use with Software Security Center.

For information about the location of the pragma no-cache setting in your application server, see the documentation for your server.

About Deploying Software Security Center in Apache Tomcat

The following topics describe what you need to do to deploy Software Security Center in an Apache Tomcat application server:

• About Configuring Tomcat Memory Settings 52• About Configuring the Tomcat Connectors 56• Deploying Software Security Center in Tomcat 56

See Also

"About Configuring pragma no-cache on Application Servers" on the previous page

About Configuring Tomcat Memory Settings

If you intend to use Apache Tomcat as your application server, you must specify the Tomcat server memory settings. This enables Software Security Center to use several frameworks that dynamically subclass an application’s core classes. Dynamic subclassing requires an increased number of class definitions in the Java runtime’s permanent memory heap.

Note: Configuring Tomcat memory does not impair server runtime performance or the behavior of the runtime environment.


• Configuring Tomcat Memory from the Windows Command Line 53• Configuring Tomcat Memory When Tomcat Is Installed as a Service 53• Configuring Tomcat Memory on a Linux System 55

Installation and Configuration GuideChapter 6: Deploying Software Security Center in an Application Server


http://www.mail-archive.com/[email protected]/msg151294.html

Configuring Tomcat Memory from the Windows Command Line

If you are running Software Security Center on a Windows system and starting the Tomcat server from the Windows command line, do the following before you start the Tomcat server:

1. Set the CATALINA_OPTS environment variable as shown here:

CATALINA_OPTS=-Xms256M -Xmx4096M -XX:MaxPermSize=256M -Djava.awt.headless=true

2. Restart Tomcat to apply the new memory settings. 3. Configure the Tomcat connectors and ports, as necessary. See "About Configuring the Tomcat

Connectors" on page 56.See Next

"About Configuring the Tomcat Connectors" on page 56

Configuring Tomcat Memory When Tomcat Is Installed as a Service

If you are running Software Security Center on a Windows system and you are running Tomcat as a Windows service, you can use the Apache Tomcat Properties dialog box to specify the Software Security Center memory settings. Windows applies the memory settings whenever it starts the Tomcat service, such as after a power-failure reboot.

The following procedure assumes that:

l You are qualified to configure a Tomcat application server running on a Windows computer and you are qualified to use Windows Computer Management tools

l You have configured your Tomcat server to run as a Windows service

Note: For additional information about configuring Tomcat, see the Tomcat documentation.

To use the Windows Services tool to configure Tomcat memory settings:

1. Log on to Windows as an Administrator-level user. 2. In Windows, open the Apache Tomcat Properties dialog box using the Apache Tomcat

> Monitor Tomcat option in the Windows Start menu or by clicking its icon in the system tray.



3. Click the Java tab.The Java tab is similar to the one shown in the following illustration:

4. Configure the following properties: l In the Java Options box, type the following lines (include the line breaks):

-XX:MaxPermSize=512M -Djava.awt.headless=true

l In the Initial memory pool field, type 256.

l In the Maximum memory pool field, type an amount, in megabytes, that is approximately 1 or 2 GB below the amount of system RAM. For example, if you have 64-bit system with 12 GB of RAM, type 10240 (10 GB).

For additional guidelines for configuring these properties, see the discussion about setting the CATALINA_OPTS variable in "Configuring Tomcat Memory on a Linux System" on the next page.

5. Click OK. 6. Restart Tomcat to apply the new memory settings. 7. Configure the Tomcat connectors and ports, as necessary. See "About Configuring the Tomcat

Connectors" on page 56.See Next

"About Configuring the Tomcat Connectors" on page 56



Configuring Tomcat Memory on a Linux System

If you are running Software Security Center on a Linux system, do the following before you start the Tomcat server:

1. In the <tomcat>/bin directory, create an empty file named setenv.sh. 2. Change the access permissions for the new file to 755.

For example, enter chmod 755 setenv.sh. 3. Open the file in a text editor, and add the following line:

JAVA_HOME=/usr/java/jdk1.7.0_76

where the path in the JAVA_HOME variable is the location of JDK 7. 4. Beneath the line you added in step 3, add one of the following lines:

Note: HP recommends you configure Tomcat so it writes the log files in UTF-8 encoding. To do this, add the system property -Dfile.encoding=UTF-8 to CATALINA_OPTS.

l If you have a 64-bit system with a generous amount of RAM (at least 8 GB or more), and you have installed the 64-bit version of Java 1.7, HP recommends that you set the maximum heap size to approximately 1 or 2 GB below the system RAM and the maximum perm size to 256 MB. For example, if you have a 12 GB machine, add the following line:

CATALINA_OPTS="-Xms256M –Xmx10G -XX:MaxPermSize=256M -Djava.awt.headless=true"

Note that the Java Virtual Machine stores the classes in the permanent generation. Therefore, the maximum permanent generation size should be greater than the total file size of all the .jar files in the WEB-INF/lib directory. If the same Tomcat instance will be hosting other major web applications besides Software Security Center (which HP does not recommend), then the maximum permanent generation might need to be increased to accommodate the increase in .jar files.

l If you have a 32-bit system with at least 3 GB of RAM, HP recommends that you increase the maximum heap memory setting to 2 GB and the maximum perm size to 192 MB. For example:

CATALINA_OPTS="-Xms256M -Xmx2G -XX:MaxPermSize=192M -Djava.awt.headless=true"

l If you have a low memory configuration that is not intended for heavy production use, add the following line:

CATALINA_OPTS="-Xms256M -Xmx768M -XX:MaxPermSize=160M -Djava.awt.headless=true"

5. Restart Tomcat to apply the new memory settings. 6. Configure the Tomcat connectors and ports, as necessary. See "About Configuring the Tomcat

Connectors" on the next page.



See Next

"About Configuring the Tomcat Connectors" below

About Configuring the Tomcat Connectors

Configure the Tomcat connectors and ports, as necessary. Refer to the Tomcat documentation for instructions for configuring the connectors and setting up SSL/TLS (if required).

If you only need to modify the default ports, edit the <tomcat>/conf/server.xml file.

See Next

"Deploying Software Security Center in Tomcat" below

Deploying Software Security Center in Tomcat

To deploy Software Security Center in Tomcat:

1. Stop the Tomcat server. 2. Navigate to the <tomcat>/webapps directory. 3. Delete the ssc subdirectory. 4. Copy the ssc.war file to the <tomcat>/webapps directory.

Note: It could take several minutes for Tomcat to deploy the ssc.war file.

5. Restart the Tomcat server: l In Linux: Run <tomcat>/bin/startup.sh.

l In Windows: On the General tab of the Apache Tomcat Properties dialog box, click Start.

About Deploying Software Security Center in IBM WebSphere

Perform the following tasks to deploy Software Security Center in a WebSphere application server:

Task Description Instructions

1 Export a copy of the HP Fortify web certificate in X.509 DER format.

"About HP Fortify Web Certificates for WebSphere" on the next page

2 Use IBM’s iKeyman utility to add the HP Fortify web certificate to the WebSphere certificate store.

"Adding the HP Fortify Web Certificate to the WebSphere Application Server" on page 58

3 Prepare WebSphere for Software Security Center deployment.

"Preparing WebSphere for Software Security Center Deployment" on page 59

4 Deploy Software Security Center in WebSphere.

"Deploying Software Security Center in WebSphere" on page 59



See Also

"About Configuring pragma no-cache on Application Servers" on page 51

About HP Fortify Web Certificates for WebSphere

The HP Fortify web certificate enables the instance of Software Security Center running under the WebSphere server to establish an HTTPS connection with the HP Fortify Rulepack update server at https://update.fortify.com.

The following procedures describe how to export a copy of the HP Fortify certificate in X.509 DER format using a Firefox or Internet Explorer web browser:

• Exporting the HP Fortify Web Certificate Using Firefox 57• Exporting the HP Fortify Web Certificate Using Internet Explorer 57

Exporting the HP Fortify Web Certificate Using Firefox

To export an HP Fortify web certificate using Firefox:

1. In Firefox, navigate to the Fortify Customer Portal (https://update.fortify.com), and then log on using your Customer Portal credentials.The Your Products page opens.

2. Open the certificate export tool: a. Right-click the page, and select View Page Info from the shortcut menu.

Firefox displays the Page Info window. b. In the Page Info window, click Security. c. In the Website Identity section, click View Certificate. d. In the Certificate Viewer dialog box, click the Details tab. e. Click Export.

3. In the Save Certificate to File dialog box: a. Browse to the directory to which you want to save the certificate file. b. In the File Name box, type a file name, and make a note of the name. c. In the Save as type list, leave X.509 Certificate (PEM) selected.

4. Click Save. 5. Close the Certificate Viewer dialog box.

See Next

"Adding the HP Fortify Web Certificate to the WebSphere Application Server" on the next page

Exporting the HP Fortify Web Certificate Using Internet Explorer

To export an HP Fortify web certificate using Internet Explorer:

1. In Internet Explorer, navigate to the Fortify Customer Portal (https://update.fortify.com), and then log on using your Customer Portal credentials. The Your Products page opens.



https://update.fortify.com./

https://update.fortify.com/


2. Open the Certificate Export Wizard: a. Right-click the page, and select Properties from the shortcut menu. b. In the Properties dialog box, click Certificates. c. In the Certificate dialog box, click the Details tab, and then click Copy to File.

The Certificate Export Wizard starts. 3. Export the certificate as an X.509 DER file:

a. Click Next. b. On the Export File Format step, leave DER Encoded Binary X.509 (.CER) selected and

click Next. c. On the Export to File step, browse to the directory to which you want to save the certificate

file, type a file name, and click OK. d. Click Next. e. On the completion step, review your settings. f. Click Finish.

See Next

"Adding the HP Fortify Web Certificate to the WebSphere Application Server" below

Adding the HP Fortify Web Certificate to the WebSphere Application Server

After you have exported the HP Fortify web certificate, you use IBM’s iKeyman utility to add the HP Fortify web certificate to the certificate store of the WebSphere application server.

To add the HP Fortify web certificate to the WebSphere server certificate store:

1. Start the IBM key management utility (iKeyman). For instructions, see IBM’s online documentation for certificate management.

2. To open the WebSphere key store for updating: a. From the Key Database File menu, select Open. b. From the Key database type list in the Open dialog box, select PKCS12. c. Browse to the following location: <WebSphere Install

Dir>/profiles/<AppServer>/config/cells/<Cell/Node Name>/Nodes/<Node Name>/trust.p12.

d. Click OK.The iKeyman utility prompts for a password.

3. Type the WebSphere keystore password. (The default password is WebAS.) 4. To add the HP Fortify web certificate:

a. Click Add. b. Browse to and select the HP Fortify web certificate you downloaded (see "About HP Fortify

Web Certificates for WebSphere" on the previous page), and then click OK. The iKeyman utility prompts you to label the certificate.

c. The Enter a Label box displays the default label ssc_war. Replace this value with ssc.



d. Click OK. The iKeyman utility adds the HP Fortify web certificate to the WebSphere certificate store.

5. In the iKeyman utility Key Database File, click Exit.See Next

"Preparing WebSphere for Software Security Center Deployment" below

Preparing WebSphere for Software Security Center Deployment

After you have exported the Fortify web certificate and added it to the WebSphere application server, you prepare WebSphere for deployment.

To prepare WebSphere for deployment:

1. Start WebSphere and logon as a WebSphere administrator. 2. Open the WebSphere console. 3. Navigate to Application Servers > <server_name> > Web Container > Custom properties

where <server_name> is the server that contains the Software Security Center application. For example, server1.

4. Add the following custom property to the server web container:

com.ibm.ws.webcontainer.invokefilterscompatibility

5. Set the value of the new property to true.

Caution: If you do not set this property, logging will fail. Errors will be logged into logs/ffdc/<filename>.txt.

6. On the Application servers page (for example, Application servers > server1), in the server-specific application settings, set "Class loading mode" = Parent last.

7. Save your changes. 8. Restart WebSphere.

See Next

"Deploying Software Security Center in WebSphere" below

Deploying Software Security Center in WebSphere

To deploy Software Security Center using the WebSphere console:

1. Start WebSphere. 2. Log on to the administrative console. 3. In the panel on the left, expand Applications. 4. Click Enterprise Applications. 5. In the Name field in the General Properties area of the panel on the right, type ssc.war. 6. Click Apply. 7. In the Modules area, click Manage Modules.



8. Select the Software Security Center application module. 9. In the Class loader order list, select Classes loaded with application class loader first

(parent last). 10. Click Apply. 11. Navigate to Enterprise applications > <ssc_application> > Class loading and update

detection. 12. Click Class loading and update detection. 13. In the Polling interval for updated files field, type 20. 14. In the Class loader order list, select Classes loaded with application class loader first

(parent last). 15. Click OK to apply the changes. 16. Restart WebSphere.

About Deploying Software Security Center in WebLogic

The following topics describe what you need to do to deploy Software Security Center in a WebLogic application server:

• Deploying Software Security Center in WebLogic 11g 60• Deploying Software Security Center in WebLogic 12c 62

See Also


Deploying Software Security Center in WebLogic 11g

To deploy Software Security Center in WebLogic 11g:

Note: For the supported versions of WebLogic 11g, see the Software Security Center System Requirements document.

1. Stop the WebLogic Server. 2. Navigate to the WebLogic Server <WebLogic_Install>/modules directory. 3. Locate the two files with names similar to the following, and make a note of the file names. You

will need them in step 5. l com.oracle.jpa2support_*.jar

where * is the version number.

l javax.persistence_*_2-*.jar

where the version number is represented by *_2-* and each * represents a numeric value of one or more digits.

Important: Make sure you locate the file with _2- as shown above. For example, in



javax.persistence_1.1.0.0_2-0.jar, the version number follows the first underscore: 1.1.0.0_2-0.

4. Navigate to the WebLogic Server <WebLogic_Install>/user_projects/domains/ssc/bin directory and open the setDomainEnv.cmd (Windows) or setDomainEnv.sh (Linux) batch script file in a text editor.

5. Add the following lines to the head of the file: l On a Windows system, add:

set USER_MEM_ARGS=-Xmx4096m -XX:MaxPermSize=256m

set JAVA_OPTIONS=-Djava.awt.headless=true

set PRE_CLASSPATH=%MW_HOME%\modules\com.oracle.jpa2support_<Version>.jar; %MW_HOME%\modules\javax.persistence_<Version>.jar

where <Version> represents the version number from the corresponding file that you located in step 3.

l On a Linux system, add:

export USER_MEM_ARGS="-Xmx4096m -XX:MaxPermSize=256m"

export JAVA_OPTIONS=-Djava.awt.headless=true

export PRE_CLASSPATH="${MW_HOME}/modules/javax.persistence_<Version>.jar: ${MW_HOME}/modules/com.oracle.jpa2support_<Version>.jar"

where <Version> represents the version number from the corresponding file that you located in step 3.

6. Start the WebLogic server. 7. To start the Administration Console for your local instance of WebLogic Server, type the following

URL in a Web browser address field:

http://localhost:7001/console/

8. Log on to the Administration Console. 9. In the Domain Structure tree, select Deployments.

10. Click Install. 11. Browse to and select the ssc.war file. 12. Select Install this deployment as an application. 13. Click Next until the final step is displayed, and then click Finish.



Deploying Software Security Center in WebLogic 12c

To deploy Software Security Center in WebLogic 12c:

Note: For the supported versions of WebLogic 12c, see the Software Security Center System Requirements document.

1. Stop the WebLogic Server. 2. Navigate to the WebLogic Server <WebLogic_Install>/oracle_common/modules directory.\ 3. Locate the file with the name similar to javax.persistence_*_2-*.jar, where the version

number is represented by *_2-* and each * represents a numeric value of one or more digits.

Important: Make sure you locate the file with _2- as shown above. For example, in javax.persistence_1.1.0.0_2-0.jar, the version number follows the first underscore: 1.1.0.0_2-0.

4. Make a note of the file name. You will need it in step 6. 5. Navigate to the WebLogic Server <WebLogic_Install>/user_projects/domains/ssc/bin

directory and open the setDomainEnv.cmd (Windows) or setDomainEnv.sh (Linux) batch script file in a text editor.

6. Add the following lines to the head of the file: l On a Windows system, add:

set USER_MEM_ARGS=-Xmx4096m -XX:MaxPermSize=256m

set JAVA_OPTIONS=-Djava.awt.headless=true

set PRE_CLASSPATH=%MW_HOME%\oracle_common\modules\ javax.persistence_<Version>.jar;

where <Version> represents the version number from the file that you made note of in step 4.

l On a Linux system, add:

export USER_MEM_ARGS="-Xmx4096m -XX:MaxPermSize=256m"

export JAVA_OPTIONS=-Djava.awt.headless=true

export PRE_CLASSPATH="${MW_HOME}/oracle_common/modules/ javax.persistence_<Version>.jar"

where <Version> represents the version number from the file that you made note of in step 4.

7. Start the WebLogic server.



8. To start the Administration Console for your local instance of WebLogic Server, type the following URL in a Web browser address field:

http://localhost:7001/console/

9. Log on to the Administration Console. 10. In the Domain Structure tree, select Deployments. 11. Click Install. 12. Browse to and select the ssc.war file. 13. Select Install this deployment as an application. 14. Click Next until the final step is displayed, and then click Finish.

About Deploying Software Security Center in JBoss Enterprise Application Platform

The following topics describe what you need to do to deploy Software Security Center in a JBoss Enterprise Application Platform application server:

• Deploying Software Security Center in JBoss Enterprise Application Platform Version 5.x 63• Deploying Software Security Center in JBoss Enterprise Application Platform Version 6.x 64

See Also


Deploying Software Security Center in JBoss Enterprise Application Platform Version 5.x

To deploy JBoss Enterprise Application Platform (JBoss5.x EAP) with Software Security Center:

1. Stop the JBoss web server. 2. Create a subdirectory named ssc.war in the JBoss installation directory (for example, <JBoss_

Install>/server/default/deploy/ssc.war). 3. Extract the ssc.war file contents into the new ssc.war folder. 4. Modify the jboss executable script as follows:

l On Windows systems, add the following line to run.bat:

set JAVA_OPTS=%JAVA_OPTS% -Dorg.jboss.logging.provider=slf4j

l On Linux systems, add the following line to run.sh:

JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.logging.provider=slf4j"

5. Restart the JBoss server.



Deploying Software Security Center in JBoss Enterprise Application Platform Version 6.x

To deploy JBoss Enterprise Application Platform (JBoss6.x EAP) with Software Security Center:

1. Stop the JBoss web server. 2. Copy the ssc.war file into a deployment folder in the JBoss installation directory. 3. For a standalone deployment of JBoss, turn off the infinispan feature

(http://infinispan.org/documentation) as follows: a. Navigate to the $JBOSS_HOME/standalone/configuration directory and open the

standalone.xml file in an editor. b. Comment out the extension module as follows:



c. Save and close the standalone.xml file. 4. Restart the JBoss server.



http://infinispan.org/documentation

Chapter 7: Logging On to Software Security Center and Requesting a User Account

After you have created and initialized your Software Security Center database, configured your application server, and deployed Software Security Center in the application server, follow the instructions in this section to log on to Software Security Center.

Note: If you do not yet have a Software Security Center user account, you can request one from the administrator. For information, see "Requesting Access to Software Security Center" on the next page.


• Logging On to Software Security Center 65• Requesting Access to Software Security Center 66

Logging On to Software Security Center

Follow the instructions in this topic to log on to Software Security Center.

After you have logged on to Software Security Center, create at least one non-default administrator account, and then delete the default administrator account. For more information about managing Software Security Center user accounts and roles, see "About Software Security Center User Administration" on page 89.

To log on to Software Security Center:

1. Make sure that you access the newest version of the Software Security Center user interface. To do this, clear your web browser’s cache.

2. In a web browser, type the URL for the Software Security Center instance: l If Software Security Center is configured to use secure HTTP protocol, type the following URL:

https://<host_IP>:<port>/ssc/

where <port> represents the port number used by the application server.

l If Software Security Center is configured to use insecure HTTP protocol (not recommended), type the following URL:

http://<host_IP>:<port>/ssc/

where <port> represents the port number used by the application server.

3. Type your Username and Password.If you are logging on to Software Security Center for the first time, type admin in both the Username and Password fields. These are the default logon credentials for a new Software Security Center installation.

Note: You are asked to change your credentials the first time you log on.


4. Click Log in.If you are logging on to Software Security Center for the first time, you are prompted to change your logon credentials.

5. If Software Security Center prompts you to change your credentials, enter a new username and password. Software Security Center passwords must be at least eight characters long and contain at least one of the following: l Upper-case letter

l Lower-case letter

l Non-alphanumeric character

Requesting Access to Software Security Center

If you do not have a Software Security Center account or if you have forgotten your username or password, you can request assistance by clicking a link on the Software Security Center Login page.

Note: This feature is only available if email alert notifications are enabled. See "Configuring the Software Security Center Settings Used for Sending Email Alert Notifications" on page 73.

To request access to Software Security Center:

1. At the top of the Login dialog box, click Can't access or need an account? 2. Enter your email address and select one of the following options:

l I don't know my password

l I don't know my username

l I don't have an account

3. Click Submit.Your request is sent to the system administrator.

Note: The address to which this request is sent is configured in the Core settings (see "Configuring Core Settings" on page 70).

Installation and Configuration GuideChapter 7: Logging On to Software Security Center and Requesting a User Account


Chapter 8: Completing the Configuration of Software Security Center

After you have finished the preliminary configuration of Software Security Center and deployed the Software Security Center WAR file, you must compete the initial Software Security Center configuration. You do this on the Software Security Center Administration page that is part of the new Software Security Center user interface in Software Security Center 4.30.

You can configure and update other settings on the Administration page later, as necessary.

For information about the new Software Security Center user interface, see the HP Fortify Software Security Center Technology Preview of the New User Interface.


• Accessing the Configuration Category on the Software Security Center Administration Page 67• About the Options in the Configuration Category 68

Accessing the Configuration Category on the Software Security Center Administration Page

You complete the Software Security Center configuration in the Configuration category on the new Software Security Center Administration page.

To access the Configuration category:

1. Start Software Security Center. For instructions, see "Logging On to Software Security Center" on page 65.

Note: If you cannot access Software Security Center because you have forgotten your username or password or if you do not have an account, see "Requesting Access to Software Security Center" on page 66.

2. Do one of the following: l If you are accessing Software Security Center for the first time, a banner similar to the

following is displayed at the top of the page. Click Go to open the Configuration category on the Administration page.

l If you are not accessing Software Security Center for the first time, at the top of the Software Security Center Dashboard, click Preview New Dashboard.


3. At the top of the new dashboard, click Administration.

The Administration page opens. Links to the categories that are available from the Administration page are available in the navigation pane at the left side of the page and the Event Logs page is displayed.

4. In the navigation pane, click Configuration.

The options in the Configuration category are displayed. For descriptions of these options, see "About the Options in the Configuration Category" below.

About the Options in the Configuration Category

The following table lists the options that are available in the Configuration category on the new Software Security Center Administration page.

Note: Changes to most of the Configuration category pages do not take effect until the system is restarted.

Option Description Instructions

CAS Use to configure Software Security Center to work with a Central Authentication Server (CAS).

"Configuring Software Security Center to Work with a Central Authorization Server" on the next page

CloudScan Use to configure Software Security Center to monitor CloudScan and to display CloudScan results in Software Security Center.

"Configuring HP Fortify CloudScan Monitoring in Software Security Center" on page 70

Installation and Configuration GuideChapter 8: Completing the Configuration of Software Security Center


Option Description Instructions

Core Use to configure core Software Security Center settings such as the timeout and lockout settings and the proxy for secure coding Rulepacks updates.

"Configuring Core Settings" on the next page

Email Use to configure the server settings used to send email alerts to users.

"Configuring the Software Security Center Settings Used for Sending Email Alert Notifications" on page 73

JMS Use to configure Software Security Center to publish system events to the Java Message Service (JMS).

"Configuring Java Message Service Settings" on page 74

Runtime Use to enable or disable Runtime Application Protection communications with Software Security Center.

"Configuring HP Fortify Runtime Application Protection Communication Settings" on page 75

Scheduler Use to configure the Software Security Center job scheduler settings.

"Configuring Job Scheduler Settings" on page 76

SSO Use to configure Software Security Center to work with single sign-on (SSO).

"Configuring Software Security Center to Work with Single Sign-On" on page 77

Webservices Use to configure Software Security Center web services.

"Configuring Web Services to Require Token Authentication" on page 78

Configuring Software Security Center to Work with a Central Authorization Server

You configure Software Security Center to work with a Central Authorization Server (CAS) in the Configuration category on the Software Security Center Administration page.

To configure Software Security Center to work with a Central Authorization Server:

1. Navigate to the Configuration section of the new Software Security Center Administration page. For instructions, see "Accessing the Configuration Category on the Software Security Center Administration Page" on page 67.

2. In the Configuration section, click CAS.The CAS integration attributes page opens.



3. Configure the settings as described in the following table:

Field Description

Enable CAS Integration Select this check box to enable integration with CAS.Note: Selecting this check box also allows you to edit the remaining fields on the page.This check box is not selected by default.

HP Software Security Center Location

Type the URL for the Software Security Center.

For example, http://localhost:8180/ssc.

CAS Server URL Type the URL for the CAS server.

For example, http://localhost:8080/cas.

4. Click Save.

Important: Changes to this page are applied after the server is restarted.

Configuring HP Fortify CloudScan Monitoring in Software Security Center

You can monitor CloudScan and display CloudScan results in Software Security Center. To enable this functionality, you must configure the integration in both HP Fortify CloudScan and in the Configuration category on the Software Security Center Administration page. For instructions, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide.

Configuring Core Settings

In addition to the core settings you configured earlier with the Software Security Center Configuration Tool, you configure core settings in the Configuration category on the Software Security Center Administration page. These settings include user account timeout and lockout settings, the display of user information, maximum events per WebInspect Agent issue, the base URL for the runtime event description server, and the user administrator's email address. You also configure the proxy used for Rulepack updates on this page. For information about the Rulepacks updates proxy, see "About Configuring a Proxy for Rulepack Updates" on page 72.

To configure Software Security Center core settings:


2. In the Configuration section, click Core.The Core SSC attributes page opens.




Field Description

Absolute Session Timeout (minutes)

Type the number of minutes a user can be continuously active before Software Security Center automatically logs the user off.The default value is 240.

Days before password reset

Type the number of days the Software Security Center password is valid before the user must change it.The default value is 30.

Login Attempts before Lockout

Type the number of times a user can try to log on to Software Security Center using invalid credentials before being locked out.If Software Security Center locks a user out, that user is prevented from attempting a new logon for the number of minutes specified as the Lockout time.The default value is 3.

Lockout time (minutes)

If a user attempts and fails to log on to Software Security Center the number of times specified for Login Attempts before Lockout, Software Security Center locks the user out for the number of minutes specified as the Lockout time.The default value is 30.

Display user first/last names and Emails in user fields, along with login names

Select this check box to display the following user information, when applicable: login name, first and last name, and email address.This check box is selected by default.

Maximum Events Per WebInspect Agent Issue

When Software Security Center imports runtime events into project versions, it converts the events into issues. At times, multiple events are imported as a single issue. Type the maximum number of events that Software Security Center can convert to a single issue.The default value is 5.

Inactive Session Timeout (minutes)

Type the number of minutes a user can be inactive before Software Security Center automatically logs the user off.The default value is 30.

Locale for Rulepacks

Leave this field empty. Software Security Center does not support localized HP Fortify Secure Coding Rulepacks.

Proxy for Rulepack Update

Type the network name or IP address proxy.



Field Description

Proxy Password Type a valid password for the Rulepack proxy server.

Proxy Port Type the port number associated with the network name or IP address you specified as the Proxy for Rulepack Update.

Proxy Username Type a valid username for the Rulepack proxy server.

Rulepack Update URL

Important: Do not change the default value of the Rulepack Update URL field unless your HP Fortify customer support representative directs you to do so.

The default value is https://update.fortify.com.

Base URL for Runtime Event description server

The runtime event details include a link to a description of the event category, which is hosted on a Software Security Center instance. If you do not want your Software Security Center instance to access the internet, change the base URL for the event category descriptions.The default value is https://content.fortify.com/products/360/rta/descriptions/.

User Administrator's Email Address (for user account requests)

Type the email address of the user who is to receive system email alerts and notifications when email notifications are enabled. For more information, see the HP Fortify Software Security Center User Guide.Requests for new user accounts are sent to this address when the Request Access link is available on the Software Security Center Login page.

4. Click Save.


See Also

"Configuring the Core Parameters" on page 35

About Configuring a Proxy for Rulepack Updates

By default, Software Security Center downloads the current versions of HP Fortify Secure Coding Rulepacks you subscribe to from the HP Fortify Customer Portal at https://update.fortify.com. For installations that do not permit downloads directly from an external network source, you can configure Software Security Center to download Rulepacks from a proxy server.

To configure a proxy for Rulepack updates, you need the following:

l A current subscription to one or more Secure Coding Rulepacks l The URL, port number, and username for the proxy server to use to update Secure Coding

RulepacksYou configure a proxy for secure coding Rulepacks updates in the Configuration category on the Software Security Center Administration page. For instructions, see "Configuring Core Settings" on page 70.




Configuring the Software Security Center Settings Used for Sending Email Alert Notifications

If you are going to use Software Security Center to send email alert notifications to the project team, you need to do the following:

1. Create the SMTP email account to be used by Software Security Center. 2. Configure the email settings as described in this topic.

When you enable email alert notifications, the "Can't access or need an account?" link is included in the login dialog box. (See "Requesting Access to Software Security Center" on page 66.)

For information about alerts and configuring Software Security Center to send alerts as email alert notifications, see the HP Fortify Software Security Center User Guide.

To configure the settings used for sending email alert notifications:


2. In the Configuration section, click Email.The Email service configuration attributes page opens.


Field Description

Enable Email Select this check box to enable Software Security Center to send email messages of all types and to add the "Can't access or need an account?" link to the login dialog box.Note: Selecting this check box also allows you to edit the remaining fields on the page.This check box is not selected by default.

From Email address

Type the email address that Software Security Center uses to identify emails sent from Software Security Center.For example, [email protected].

Default encoding of the Email content

Type the encoding method to be used for the email content.The default value is UTF-8.

SMTP server Type the location of the SMTP server.For example, mail.example.com.

SMTP password

If authentication is required on the SMTP server, type the SMTP password.

SMTP server port

Type the port number for the SMTP server.The default value is 25.



Field Description

SMTP username

If authentication is required on the SMTP server, type the SMTP username.

4. Click Save.


Configuring Java Message Service Settings

If you want to publish system events to the Java Message Service (JMS), configure the JMS settings in the Configuration category on the Software Security Center Administration page.

To configure JMS settings:


2. In the Configuration section, click JMS.The JMS integration attributes page opens.


Field Description

Publish System Events to JMS

Select this check box to publish system events to JMS.Note: Selecting this check box also allows you to edit the remaining fields on the page.This check box is not selected by default.

JMS Server URL Type the URL for the JMS server.

For example, tcp://127.0.0.1:61616.

Include username in JMS body

Select this check box to include the user's name in the body of the JMS message.This check box is selected by default.

JMS Topic Type the JMS topic of the message. The default value is Fortify.Advisory.EventNotification.

4. Click Save.




Configuring HP Fortify Runtime Application Protection Communication Settings

If you need Software Security Center to communicate with HP Fortify Runtime Application Protection, you enable Runtime in the Configuration category on the Software Security Center Administration page.

For information about how to configure, monitor, and manage instances of Runtime Application Protection that are running in federated mode, see the HP Fortify Runtime Application Protection Operator Guide.

To enable Software Security Center to communicate with Runtime Application Protection:


2. In the Configuration section, click Runtime.The Runtime integration attributes page opens.


Field Description

Enable Runtime Select this check box to enable runtime communications with Software Security Center.Note: Selecting this check box also allows you to edit the remaining fields on the page.This check box is not selected by default.

Email addresses (comma separated) to notify when a runtime configuration error occurs

Type the email addresses of the users to notify when a Runtime configuration error occurs. Separate the addresses with commas.For example, runtime.admin@abc_co.com, runtime.manager@abc_co.com.

Port for Runtime federation Type the number of the port that is used for runtime federation.

Caution: Do not change this setting unless HP Fortify support specifically directs you to do so.


Enforce strict certificate checking Select this check box to enforce strict certificate checking.

Caution: Do not change this setting unless HP Fortify support specifically directs you to do so.

This check box is selected by default.



4. Click Save.


Configuring Job Scheduler Settings

You configure the Software Security Center job scheduler in the Configuration category on the Software Security Center Administration page.

To configure job scheduler settings:


2. In the Configuration section, click Scheduler.The Job scheduler attributes page opens.


Field Description

Number of days after which executed jobs will be removed

The number of days after which executed jobs are removed from Software Security Center.The default value is 1.

Job execution strategy

Select the job execution strategy to use. Options include the following: l Conservative: Enables highly concurrent FPR processing. With this

option, the job scheduler can run FPR processing on all workers available to the scheduler and up to two report jobs at a time. Low concurrency jobs such as artifact and project version delete are executed in sequence.

l Aggressive: Enables high concurrency. With this option, the job scheduler does not enforce any limitations on how jobs are executed. All jobs are equal and executed on all available workers.

l Exclusive jobs: Enables jobs to run in sequence, one at a time.

The default value is Conservative.

Days of Week Type the days of the week on which the scheduler is to run. You can enter the value as a three-letter abbreviation for the day of the week (for example, type THU for Thursday) or as a single digit, by entering a 1 for Sunday, a 2 for Monday, and so on.To run the scheduler on multiple days, separate the entries with a comma. For example, type SUN, WED, FRI or 1, 4, 6. Note: The three-letter abbreviations must be entered as upper-case letters. Spaces between the entries are optional.



Field Description

To enter consecutive days, separate the entries with a dash. For example, type MON-FRI to run the scheduler on week days only.Type * if the scheduler is to run every day.The default value is *.

Hours Type the hour, using 24-hour time notation, at which the recurring scheduler job is to start running. For example, type 1 to start the job at 1 A.M. Type * if the scheduler is to run every hour.Note: The values you enter in the Days of Week, Hours, and Minutes fields are concatenated to create the Cron expression used by the scheduler.The default value is 0 (midnight).

Minutes Type the minute at which the recurring scheduler job is to start running. For example, type 24 to start the job at 24 minutes past the hour that you entered in the Hours field.The default value is 0 (indicating the job starts running in the first minute).

4. Click Save.


Configuring Software Security Center to Work with Single Sign-On

You configure Software Security Center to work with single sign-on (SSO) in the Configuration category on the Software Security Center Administration page.

For additional steps that you must complete when configuring SSO, see "Configuring Single Sign-On for Software Security Center" on page 87.

To configure Software Security Center to work with SSO:


2. In the Configuration section, click SSO.The SSO integration attributes page opens.


Field Description

Enable SSO Integration

Select this check box to enable SSO integration. Note: Selecting this check box also allows you to edit the remaining fields on the page.This check box is not selected by default.

HTTP Header for Type the HTTP header to use for SSO logons.



Field Description

Username The default value is username.

4. Click Save.


See Also

"Configuring Single Sign-On for Software Security Center" on page 87

Configuring Web Services to Require Token Authentication

You enable or disable token authentication for web services in the Configuration category on the Software Security Center Administration page.

Software Security Center supports two types of authentication when the SOAP web services API is used:

l A username and password are provided in every request. l A temporary security token is generated and passed for authentication. If you do not want to use token authentication, you must disable it on the Webservice attributes page.

For additional information about authentication tokens, see "About fortifyclient Authentication Tokens" on page 95.

To enable or disable token authentication:


2. In the Configuration section, click Webservice.The Webservice attributes page opens.

3. Configure the setting as described in the following table:

Field Description

Allow Token Authentication

Select this check box to enable token authentication. Clear the check box if you do not want to use token authentication.This check box is selected by default.

4. Click Save.




Chapter 9: Additional Installation-Related Tasks

The topics in this section address additional tasks related to a new installation of Software Security Center.


• Configuring an Eclipse Plugin Update Site 79• About Bug Tracker Integration 80• Configuring Single Sign-On for Software Security Center 87• About Software Security Center User Administration 89• Registering LDAP Entities with Software Security Center 91• About Managing LDAP User Roles 91• Creating Custom Project Attributes 92

Configuring an Eclipse Plugin Update Site

You can use Software Security Center to host an Eclipse update site. This enables you to distribute the HP Fortify Plugin for Eclipse from a central location, eliminating the need for each individual developer to install plugins locally.

To configure an Eclipse update site:

1. Navigate to <SSC_Install> /WEB-INF/internal/securityContext.xml file and open it in a text editor. <SSC_Install> is the directory in which Software Security Center was deployed. For example, for Tomcat, the <SSC_Install> directory is <tomcat>/webapps/ssc.

2. Locate the following line of text:



3. Remove the comment tags from the line of text so that it looks like the following:

<security:intercept-url pattern="/update-site/**" access="PERM_ ANONYMOUS"/>

4. Save the securityContext.xml file. 5. Enable the mapping for the Eclipse Update site. 6. Run the HP_Fortify_SCA_and_Apps installer. 7. Copy the contents of <Fortify_install>/plugins/eclipse (this should consist of a site.xml

file and jar files in the features and plugins directories) to the update-site directory on your web server. <Fortify_install> is the location in which the HP_Fortify_SCA_and_Apps installer installed the files.

Your developers can now point to the URL from their Eclipse IDE. For complete client-side installation details, see the HP Fortify Plugin for Eclipse Installation and Usage Guide.


About Bug Tracker Integration

Software Security Center allows your project team to submit bugs from the HP Fortify Software Security Center Collaboration Module to your bug tracking system. Software Security Center supports integration with Bugzilla, JIRA, and HP ALM bug-tracking systems out of the box.

Notes:

l In this guide, the Software Security Center Configuration Tool, and Software Security Center, the terms bug and defect are used interchangeably. Defect is most commonly used in the description of the Defect Tracker Plugins page in the Software Security Center Configuration Tool. In most other locations, the term bug is used.

l If your organization uses a bug tracking system other than those supplied by HP Fortify, you can author a new plugin for that system. For instructions, see "Authoring Software Security Center Bug Tracker Plugins" on page 127.

l If you are using a bug tracker plugin from a version of HP Fortify Software Security Center older than 3.30, contact HP Fortify technical support for assistance with migrating to the current release.


• Integrating with a Bug Tracking System 80• Additional Bug Tracker Configuration Information 82• Securing Logon Credentials for Bug Tracking Systems 83• About Bug Tracker Parameters 83• Viewing Previously Logged Bugs in the Collaboration Module 86• About Changing the Bug-Tracking System for a Project 87

Integrating with a Bug Tracking System

To integrate with one of the supplied bug tracking systems:

1. Log on to Software Security Center as an administrator and click the Projects tab. 2. On the Projects page, click a project version.

3. Click Edit . The Edit Project Version dialog box opens.

4. Click the Bug Tracker tab. 5. From the Bug Tracker list, select the application to use for tracking bugs for the selected project

version.

Installation and Configuration GuideChapter 9: Additional Installation-Related Tasks


The Bug Tracker tab displays additional fields, which vary, depending on the bug tracker application you selected.

6. Complete the required fields, and then click Test.The Test Bug Tracker Configuration dialog box opens.

7. Type your bug tracker authentication credentials, and then click Test.After Software Security Center verifies your connection to your bug tracker, you can enable batch bug submission for the project version. If you enable batch bug submission, users can filter issues for the project version based on selection criteria and attribute groupings, and then file a bug for the entire group of issues instead of filing a bug for each individual issue. If you enable batch bug submission for the project version, you can also enable bug state management. Bug state management allows Software Security Center to make specific updates to bugs as the states of the issues within those bugs change.

8. To enable batch bug submission, select the Enable Batch Bug Submission check box. Additional fields are displayed.



9. In the Selection Criteria box, specify the selection criteria. 10. In the Grouping Strategy box, specify the grouping strategy. 11. Click Check to validate the batch bug submission configuration. 12. Click Save.

Additional Bug Tracker Configuration Information

When you assign a bug tracker to a project version, you can provide additional configuration values. If your organization uses a single bug tracker configuration for most projects, you can modify the default Software Security Center bug tracker options by creating a bug tracker property file for the bug tracker you want to use.

The properties file name must have the format <ClassNameOfPlugin>.properties. The property names must match the configuration identifier names that the plugin uses.

Manually add each property file that you create to the WEB-INF/classes path of the WAR file.

Make sure that the defaults are loaded correctly during plugin selection.

See examples of the Bugzilla, JIRA, and ALM plugins in the following locations:

<SSC_Deploy>\Samples\BugTrackerPluginBugzilla\test\src\BugzillaBugTrackerPlugin.properties



<SSC_Deploy>\Samples\BugTrackerPluginJIRA4\test\src\ Jira4BugTrackerPlugin.properties

<SSC_Deploy>\Samples\BugTrackerPluginAlm\test\src\ AlmBugTrackerPlugin.properties

Securing Logon Credentials for Bug Tracking Systems

When you file a bug from Software Security Center, you provide a username and password for the bug tracking system. The username and password pair is saved in the HTTP session and mapped to the bug tracker for each project.

If, in your deployment architecture, the session is persisted to a database or file system, passwords for the bug-tracking systems may also be persisted using lightweight encryption. Make sure that you secure these data.

Each bug tracker has a different set of bug parameters and requires different user input. These parameters are dynamic and could be fetched from the bug-tracking system itself. Default values may be provided for some parameters.

After you complete and save the bug settings, a bug is created on the bug tracking system and Software Security Center saves the bug ID for the issue.

Important: If Software Security Center is configured to communicate over SSL, you must also import the required bug tracker certificates to the java virtual machine where Software Security Center is deployed.

About Bug Tracker Parameters

A bug submitted with bug tracker requires that a standard summary and bug description be entered in the Submit Bug dialog box. You can also add values for priority level, a due date for the fix, and the assignee. Software Security Center fetches values for the Issue Type and Affects version fields dynamically from the bug tracking system based on the selected project. For examples of the Submit Bug dialog box, see the topics in this section.

If your project requires additional fields, you might need to modify the plugin before you use it. For instructions, see "Authoring Software Security Center Bug Tracker Plugins" on page 127 or contact HP Fortify Technical Support (https://support.fortify.com).


• About HP ALM Parameters 84• About Bugzilla Parameters 85• About JIRA Parameters 86



https://support.fortify.com/

About HP ALM Parameters

In the Submit Bug dialog box for the HP ALM defect tracker, you select the parameters that reflect your ALM installation:

l Bug Summary l Bug Description l ALM Domain l ALM Project l SeverityIf your ALM project integrates with ALI (details below) you can observe that the defect description includes candidate changesets that could have possibly introduced the issue.

There are several key points of HP Fortify Software Security Center ALM integration to remember. In order for changeset discovery to be functional, the following conditions must be met:

l Each SCA scan must be tagged with a build-label, which HP Fortify Software Security Center uses to map the scan with a source-control revision number. This is achieved by including the -build-label <SVN_Revision_Number> command option while executing the source analyzer tool to translate source code into the HP Fortify analysis model.

l The ALI extension must be enabled for the individual project in ALM and appropriate source control repositories must be configured. If the ALI extension was successfully enabled for the individual project you can view the Code Changes tab after you log on to ALM.

l ALM bugs are logged regardless of whether the changeset discovery requirements are met. If the prerequisites are not met, then the changeset discovery message is skipped.

l Currently, Subversion is the only source control repository supported for changeset discovery.

Note: To view an ALM bug, you must have the ALM browser plugin installed and use an ALM-compatible browser.

For more information about ALI and ALM, see the HP documentation for those products.



The following image shows an example of the parameters in the ALM Submit Bug dialog box:

About Bugzilla Parameters

The following image shows an example of the parameters in the Bugzilla Submit Bug dialog box:



About JIRA Parameters

The following image shows an example of the parameters in the JIRA Submit Bug dialog box:

Viewing Previously Logged Bugs in the Collaboration Module

A Bug Submitted column is available in the Collaboration Module. It indicates whether a bug has been logged. Hovering over the icon in the Bug Submitted column reveals the bug ID in the external bug tracking system.

For issues associated with a bug, a View Bug button appears in the bottom panel on the Summary tab. This opens a new browser window that allows you to log into the external bug tracking website and view the bug.

A disabled View Bug button indicates that the bug tracker plugin did not provide an external link for the bug.

A disabled File Bug button can indicate several problems. To see why the button is disabled, hover your cursor over it and read the tooltip text.



Note: To view an ALM bug, you must have the ALM browser plugin installed and use an ALM-compatible browser.

For instructions for starting the Software Security Center Collaboration Module, see the HP Fortify Software Security Center User Guide.

About Changing the Bug-Tracking System for a Project

If you are changing the bug tracking system for a project that has a bug tracker assigned to it, make sure that the system indicated by the new bug tracker configuration contains all the bugs that were logged with the previous configuration. Otherwise, the bugs already filed might become invalidated.

Configuring Single Sign-On for Software Security Center

Software Security Center supports single-sign on (SSO). SSO enables a user to log on once to gain access to multiple, separate systems.

To configure SSO for Software Security Center:

1. Configure the web server that runs Software Security Center to serve as a proxy to Software Security Center.

2. Configure Software Security Center to use LDAP authentication. See "About LDAP User Authentication" on page 29.

3. Configure Software Security Center to work with a single sign-on (SSO) server. See "Configuring Software Security Center to Work with Single Sign-On" on page 77.

4. Configure the filters described in the following table for the SSO agent. These filters are located in <SSC_Install>/WEB-INF/internal/securityContext.xml. (<SSC_Install> is the directory in which Software Security Center was deployed. For example, for Tomcat, the <SSC_Install> directory is <tomcat>/webapps/ssc.)

Filter Access Description Example

<appcontext>/* Protected General access to Software Security Center is protected by the SSO solution.

/ssc/*

<appcontext>/api/*

Public Required for the use of WebInspect Enterprise.

/ssc/api/*

<appcontext> /transfer/*

Public Required to transfer artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center.This is for the Software Security Center user interface, web services, and client tools.Because of implementation details involved in the interaction with the Adobe Flash player and the web services libraries, the <appcontext>/transfer/*,

/ssc/transfer/*




<appcontext>/upload/*, and <appcontext>/download/* filters must be handled separately.

<appcontext> /update-site/*

Public To enable HP Fortify Static Code Analyzer Suite upgrades from HP Fortify Audit Workbench, public access to the Software Security Center Update Site must be provided to everyone within the enterprise.For information about how to enable SCA Suite Upgrades from HP Fortify Audit Workbench, see "Performing HP Fortify Static Code Analyzer Suite Upgrades from HP Fortify Audit Workbench" on page 115.

/ssc/update-site/*

<appcontext>/upload/*

Public Required to upload artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center.This is for the Software Security Center user interface, web services, and client tools.Because of implementation details involved in the interaction with the Adobe Flash player and the web services libraries, the <appcontext>/transfer/*, <appcontext>/upload/*, and <appcontext>/download/* filters must be handled separately.

/ssc/upload/*

<appcontext>/download/*

Public Required to download artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center.This is for the Software Security Center user interface, web services, and client tools.Because of implementation details involved in the interaction with the Adobe Flash player and the web services libraries, the <appcontext>/transfer/*, <appcontext>/upload/*, and <appcontext>/download/* filters must be handled separately.

/ssc/download/*




<appcontext>/fm-ws/*

Public Required for the invocation of all the other web services. The client tools also use these web services to communicate with Software Security Center.

/ssc/fm-ws/*

<appcontext>/d3srv

Public Required for Rulepack updates from the client tools.If you want to be able to run security content updates from within Audit Workbench or the CLI FortifyUpdate, you must use the /<appcontext>/d3srv resource filter. Note: The forward slash and asterisk (/*) are missing from the end of the filter. For this filter, you must replace <appcontext> with the application context for Software Security Center, for example: /ssc.

/ssc/d3srv

<appcontext>/guide/*

Public Public access to the Software Security Center Process Guide must be provided to everyone within the enterprise.

/ssc/guide/*

See Also

"Configuring Software Security Center to Work with Single Sign-On" on page 77

About Software Security Center User Administration

This section provides information about the different types of Software Security Center user accounts and creating these accounts for your users.


• About Administrator Accounts 89• About Security Lead, Manager, and Developer Accounts 90• About Creating User Accounts 90

About Administrator Accounts

Administrator accounts have complete access to all Software Security Center user and project version data. More important, an administrator-level account is the only kind that can do the following:

l Create new user accounts l Edit or delete other users accountsHP recommends that when you log on to Software Security Center for the first time, you create at least one non-default administrator account, and then delete the default administrator account.



After you create the non-default administrator account, use the new account to create the Software Security Center Security Lead, Manager, and Developer user accounts.

For more information about the Administrator account, see the HP Fortify Software Security Center User Guide.

About Security Lead, Manager, and Developer Accounts

In addition to the administrator-level account used to administer user accounts, Software Security Center supports the following three account levels, in order of descending level of authority:

l Security Lead: A Security Lead has access to all administrative operations except user account creation and editing. The Security Lead can create project versions and edit all aspects of the project versions that they created or to which they are assigned.

l Manager: A Manager has read-only access to most administrative data. Managers can create and edit all data for the project versions to which they are assigned.

l Developer: A Developer has read-only access to some administrative data. Developers can create and edit a subset of data for the project versions to which they are assigned.

All Software Security Center user account types can edit their own account information.

For more information about the Security Lead, Manager, and Developer accounts, see the HP Fortify Software Security Center User Guide.

About Creating User Accounts

The Software Security Center Users module provides the tools you use to edit, delete, or suspend user accounts.

HP recommends that when you log on to Software Security Center for the first time, you create at least one non-default administrator account, and then delete the default administrator account.

After you create the non-default administrator account, use the new account to create the Software Security Center Security Lead, Manager, and Developer user accounts.

Note: As a Software Security Center administrator, you can delete or suspend all user accounts except for the last remaining administrator-level account. Software Security Center automatically disables the suspend and delete features for such an account.

For instructions for creating a user account, see the HP Fortify Software Security Center User Guide.

For information about how to configure Software Security Center user account timeout and lockout settings, see "Configuring Core Settings" on page 70. For more information about user account privileges, see the HP Fortify Software Security Center User’s Guide.



Registering LDAP Entities with Software Security Center

Software Security Center administrators can add LDAP organizational units, groups, and users to the list of Software Security Center users. For instructions for registering an LDAP organizational unit, group, or user with Software Security Center, see the HP Fortify Software Security Center User Guide.

About Managing LDAP User Roles

A relative distinguished name (RDN) further qualifies a base DN. For example, if the base distinguished name (DN) for a given LDAP directory is dc=domainName, dc=com, and the full DN is cn=group1,ou=users,dc=domainName,dc=com, then the RDN is cn=group1,ou=users.

The topics in this section describe how to use LDAP RDNs to determine user roles:

• About Group Membership in Software Security Center 91• About Mapping Software Security Center Roles to LDAP Groups 91

About Group Membership in Software Security Center

For Software Security Center to recognize that a user is a member of a particular group, the user account must refer to a group object in the LDAP directory. When the user logs on, Software Security Center looks up the user in the LDAP directory. Software Security Center determines the user’s group by the common name (CN) specified in the group membership attribute. If the user belongs to multiple groups, and those groups are mapped to different roles, Software Security Center assigns the user all roles.

Software Security Center supports nested groups. For example, if a user is a member of group A and group A is a member of group B, Software Security Center recognizes that the user is a member of both groups.

About Mapping Software Security Center Roles to LDAP Groups

In most environments, the LDAP directory contains some users who do not need access to Software Security Center. Also, certain groups of users may require different access privileges.

Before you configure LDAP user authorization, you must decide which LDAP groups to associate with the Software Security Center roles (Administrator, Manager, Developer, and Auditor). HP recommends that you create new LDAP groups that map directly to the different Software Security Center roles. For example, a FORTIFY_ADMINS group and a FORTIFY_DEVELOPERS group.



Creating Custom Project Attributes

Software Security Center comes with customizable technical and business attributes that enable administrators and security leads to categorize projects and project versions.

To create project attribute:

1. Log on to Software Security Center as an administrator. 2. Click the Administration tab. 3. In the Administration panel on the left, in the General section, click Attribute Definitions.

The Attribute Definitions panel opens on the right. 4. Click Add.

The Create Attribute Definition dialog box opens.

5. Complete the fields described in the following table.

Field*Required Description

*Name Type a descriptive name for the attribute.

Description Type a brief description that describes exactly what the attribute is for.

The description is displayed under the attribute field in the Create Project Version wizard.



Field*Required Description

Required Select this check box to require users to set the attribute that you are defining here when they are creating a project template.

Hidden Select this check box to prevent the new attribute from being displayed in the Create Project Version wizard.

*Category Select Technical or Business to indicate the type of attribute. Depending on the category you select, the attribute is displayed on either the Business Attributes step or the Technical Attributes step of the Create Project Version wizard.

Note: If your Software Security Center instance is integrated with WebInspect, the list also includes the Dynamic Scan Request category.

*Scope Select the value that indicates whether the attribute applies only to project versions, runtime applications, or to both.

*Type Select one of the following control types:

l To create a check box for the attribute, select Boolean. l To create a calendar selection control for the attribute, select Date.

Note: This type is not available for a Dynamic Scan Request attribute. l To create a list from which a user can select only a single value for the attribute,

select List of Values - Single Selection. l To create a list from which a user can select multiple values for the attribute, select

List of Values - Multiple Selection. l To create a field that accepts an integer value, select Integer. l To create a text field into which a user can type a single line of text, select Text -

Single Line. l To create a text field into which a user can type multiple lines of text, select Text -

Multiple Lines.Note: If you select one of the List of Values types, additional fields are displayed in which you add the values and their descriptions, and select whether or not they are hidden.

6. Click Save.The new attribute is available the next time a user creates a project version using the Create Project Version wizard.



Chapter 10: Using the Software Security Center fortifyclient Utility

The topics in this section provide information about the Software Security Center fortifyclient command-line utility (on Windows systems, this is fortifyclient.bat) that you can use to securely transfer objects to and from Software Security Center.

Note: Throughout this section, <SSC_Deploy> represents the directory into which you extracted HP_Fortify_SSC_4.30_Server_WAR.zip file.


• About fortifyclient Requirements 94• Listing fortifyclient Options and Parameters 95• About Acquiring an Upload Authentication Token 95• Listing fortifyclient Authentication Tokens 97• Invalidating Tokens 97• Listing Project Versions 97• Purging Project Versions 98• About Uploading FPRs 98• About Downloading FPRs 100• Importing Content Bundles 101• Downloading Audit Attachment Files 102• About Archiving and Restoring Runtime Events 102

About fortifyclient Requirements

To use fortifyclient to upload HP Fortify project results (FPR), you must know the URL for your Software Security Center instance and have one the following:

l A user account on the Software Security Center server with privileges sufficient to perform the operation specified by the fortifyclient command-line utility

l A fortifyclient authentication tokenTopics covered in this section:

• About Specifying the Software Security Center URL 95• About fortifyclient Authentication Tokens 95


About Specifying the Software Security Center URL

Most fortifyclient commands include the Software Security Center URL. The Software Security Center URL passed to fortifyclient must include both the port number and the context path /ssc/. The correct format for the SSC URL is as follows:

http://nnn.nnn.nnn.nnn:8080/ssc/

For example:

l For non-root applications: http://www.company.com/ssc l For root applications: http://ssc.company.com

Note: In code examples in this guide, <SSC_URL> represents a correctly formatted SSC URL as described in this topic.

About fortifyclient Authentication Tokens

fortifyclient authentication tokens enable scripted processes to perform operations without revealing Software Security Center user names and passwords. You can use the credentials for any existing Software Security Center user account to create an authentication token.

An authentication token inherits the privileges of the account type (Administrator, Security Lead, Manager, or Developer) of the user who creates the token. When fortifyclient uses an authentication token to perform an operation, Software Security Center logs the operation under the account name used to create the token.

Listing fortifyclient Options and Parameters

To list fortifyclient commands and parameters:

1. From the command line, navigate to the <SSC_Deploy>/Tools/fortifyclient/bin directory. 2. At the command prompt, type fortifyclient. (On a Windows system, type

fortifyclient.bat.)In Software Security Center, command and option names are case-sensitive.

About Acquiring an Upload Authentication Token

fortifyclient upload authentication tokens enable account and password information to be concealed while FPRs are uploaded to Software Security Center.


• Acquiring an Upload Authentication Token 96• Specifying DaysToLive for fortifyclient Authentication Tokens 96

Installation and Configuration GuideChapter 10: Using the Software Security Center fortifyclient Utility


Acquiring an Upload Authentication Token

To use fortifyclient to acquire an analysis upload token, you must have the following:

l Your Software Security Center URL (see "About Specifying the Software Security Center URL" on the previous page)

l A Software Security Center user account with privileges that enable you to use the fortifyclient access token

To use fortifyclient to acquire an analysis upload token:

1. Navigate to the <SSC_Deploy>/Tools/fortifyclient/bin directory, and run the following:

fortifyclient -url <SSC_URL> token -gettoken AnalysisUploadToken -user <Account_Name>

where AnalysisUpLoadToken is the case-sensitive fortifyclient upload token specifier. You are prompted for a password.

2. Type the password for <Account_Name>. fortifyclient displays a token of the general form:

cb79c492-0a78-44e3-b26c-65c14df52e86

3. Copy the returned token into a text file.

The ability of fortifyclient to use the token to read or write information to or from Software Security Center depends on the account privileges of the Software Security Center user account specified by the -user parameter.

Specifying DaysToLive for fortifyclient Authentication Tokens

As described in "About Acquiring an Upload Authentication Token" on the previous page, fortifyclient supports tokens that enable the administration to conceal user account information.

You can use the -daysToLive parameter to configure fortifyclient tokens to expire after a specified number of days. The following example command illustrates the use of the -daysToLive parameter to acquire a token that expires after two days:

fortifyclient -url <SSC_URL> token -gettoken AnalysisUploadToken -user admin -daysToLive 2

where <SSC_URL> represents the URL of the Software Security Center instance (see "About Specifying the Software Security Center URL" on the previous page).

You must type the case-sensitive daysToLive parameter exactly as shown in the example above.



Listing fortifyclient Authentication Tokens

Software Security Center administrators can use fortifyclient to list all existing access tokens for all Software Security Center user accounts. The fortifyclient utility does not support filtering the list of tokens by Software Security Center account name or account privilege level.

To list all access tokens:

1. Navigate to the <SSC_Deploy>/Tools/fortifyclient/bin directory, and run the following:

fortifyclient -url <SSC_URL> listtokens -user <Admin_Account_Name>

where <SSC_URL> represents the URL of the Software Security Center instance (see "About Specifying the Software Security Center URL" on page 95) and <Admin_Account_Name> is the name of a Software Security Center Administrator-level user account.

2. When prompted, type the password for the administrator-level user account. A list showing the ID, owner, creation date, expiration date, and creation IP address for all fortifyclient authentication tokens is returned.

Invalidating Tokens

To invalidate an existing authentication token:

1. Navigate to the <SSC_Deploy>/Tools/fortifyclient/bin directory. 2. Run the following:

fortifyclient -url <SSC_URL> invalidatetoken [ -invalidateByID <token_ID> | -invalidateForUser <owner> | -invalidate <token> ]

where

<SSC_URL> represents the URL of the Software Security Center instance (see "About Specifying the Software Security Center URL" on page 95)

<token_ID> represents the ID of the token to invalidate

<owner> represents the user for whom the token is to be invalid

<token> represents the Name of the token to invalidate

Listing Project Versions

You can use fortifyclient to list the Software Security Center project versions accessible by the account that was used to create a particular access token.

Note: Administrator-level users can view all project versions. Security Lead users can view all project versions they created or to which they have been granted access. Manager and Developer



account users can view project versions to which they have been granted access.

To perform the command in this section, you must first obtain an upload authentication token. (See "About Acquiring an Upload Authentication Token" on page 95.)

To retrieve a list of project identifiers, project names, and project versions:


fortifyclient -url <SSC_URL> -authtoken <token> listProjectVersions

where <SSC_URL> represents the URL of the Software Security Center instance (see "About Specifying the Software Security Center URL" on page 95) and <token> is a valid fortifyclient authentication token. You can also use the -user and -password parameters to specify user account credentials.

For all project versions accessible to the user account that created the token, the fortifyclient utility lists the project version ID, name, and number.

Purging Project Versions

To purge all artifacts in a project version that was scanned before a given date:


fortifyclient -url <SSC_URL> purgeProjectVersion <project_identifier> -scanDate <MMDDYYYY>

where <SSC_URL> represents the URL of the Software Security Center instance (see "About Specifying the Software Security Center URL" on page 95) and <project_identifier> represents the -project <project_name>, -version <version_name>, or -projectVersionID <id>.

About Uploading FPRs

A common task is to periodically upload FPRs to Software Security Center. You can do this using an authentication token or a username and password. The topics in this section describe uploading FPRs using an authentication token. For examples using a username and password, see "About Downloading FPRs" on page 100.

Fortifyclient upload access tokens support the use of the AccessUploadToken token to conceal user credentials when using scripts to upload FPRs to Software Security Center. To provide additional security, you can also use an access token’s DaysToLive parameter.

Note: To perform the procedures described in this section, you must first obtain an authentication token. (See "About Acquiring an Upload Authentication Token" on page 95.)



You can upload FPR files using one of the methods described in the following topics:

• Using a Software Security Center Project Identifier to Upload FPR Files 99• Using a Software Security Center Project and Project Version to Upload FPR Files 99

Using a Software Security Center Project Identifier to Upload FPR Files

To upload an FPR into Software Security Center using a project identifier:


fortifyclient -url <SSC_URL> -authtoken <token> uploadFPR -file <FPRname> -projectVersionID <id>

where


<token> represents a valid fortifyclient authentication token

<FPRname> represents the full path and name of the FPR file with its extension

<id> represents the Software Security Center project version identifier

For information about how to acquire Software Security Center project identifiers, see "Listing Project Versions" on page 97.

Using a Software Security Center Project and Project Version to Upload FPR Files

To upload an FPR into a Software Security Center project version using the project name and version:


fortifyclient -url <SSC_URL> -authtoken <token> uploadFPR -file <FPRname> -project <Project_Name> -version <Project_Version>

where


<token> represents a valid fortifyclient authentication token


<Project_Name>

represents the Software Security Center project name



<Project_Version>

represents the Software Security Center project version that corresponds to the specified project name

About Downloading FPRs

You can use fortifyclient to download FPRs by specifying either the Software Security Center identifier or the project version. This section provides the procedures to download FPRs using both methods.

You can download FPRs using an authentication token or username and password. The topics in this section describe downloading FPRs using a username and password. For examples using an authentication token, see "About Uploading FPRs" on page 98


• Downloading an FPR Using a Project Identifier 100• Downloading an FPR Using a Software Security Center Project and Project Version 101

Downloading an FPR Using a Project Identifier

To use fortifyclient to download an FPR file to Software Security Center using a project identifier:


fortifyclient -url <SSC_URL> -user <Username> -password <password> downloadFPR -file <FPRname> -projectVersionID <id>

where


<Username> represents the user name for a Developer-level (or higher) Software Security Center account with access to the project version that contains the FPR file

<password> represents the password for the Developer-level (or higher) Software Security Center account with access to the project version that contains the FPR file


<id> represents the Software Security Center project version identifier

For more information about how to acquire Software Security Center project identifiers, see "Listing Project Versions" on page 97.



Downloading an FPR Using a Software Security Center Project and Project Version

To download an FPR into a Software Security Center project version using the project name and version:


fortifyclient -url <SSC_URL> -user <Username> -password <Password> downloadFPR -file <FPRname> -project <Project_Name> -version <Project_Version>

where


<Username> represents the user name for a Developer-level (or higher) Software Security Center account with access to the project version that contains the fpr file

<Password> represents the password for the Developer-level (or higher) Software Security Center account with access to the project version that contains the fpr file


<Project_Name>


<Project_Version>

represents the Software Security Center project version that corresponds to the named project

Importing Content Bundles

As part of its ongoing support for Software Security Center, HP Fortify periodically provides content bundles (.zip filename extension) that contain one or more project templates, process templates, or report definitions.

Note: Software Security Center does not support the use of authentication tokens to import content bundles.



To import a content bundle into Software Security Center:


fortifyclient -url <SSC_URL> -user <Username> -password <Password> import -bundle <Bundle_Name>

where


<Username> represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file.

<Password> represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file.

<Bundle_Name>

represents the full pathname to the content bundle (.zip filename extension)

Downloading Audit Attachment Files

To download an audit attachment file:


fortifyclient -url <SSC_URL> downloadAttachment -file <destination_file> -attachmentId <Attachment_Id>

where


<destination_file> represents the full path for the downloaded fpr file

<Attachment_Id> represents the id of the attachment to download

About Archiving and Restoring Runtime Events

You can use the fortifyclient command-line utility to archive and restore HP Fortify Real-Time Analyzer events. Software Security Center includes a Runtime tab, which provides access to Runtime Console tools and features that you can use to manage one or more instances of Runtime Application Protection running in Federated mode. The fortifyclient utility includes a set of features to support the Runtime Console.



Note: For information about the Runtime tab, see the HP Fortify Runtime Application Protection Operator Guide.


• About Archived Runtime Events 103• Listing Runtime Applications 103• Archiving Runtime Events 104• About Restored Runtime Events 104• Restoring Runtime Events 105• Listing Runtime Archives 105• Uploading a Source Archive to a Project 106• Downloading Runtime Event Archive Files 106

About Archived Runtime Events

Software Security Center stores runtime event archives in its database. You can download stored archives for external storage or for data mining. Archived events are removed from Software Security Center charts and lists.

Listing Runtime Applications

The fortifyclient command-line utility returns a list of numeric runtime application IDs and names.

Before you can archive events for a given runtime application, you must use fortifyclient to obtain its numeric identifier.

To obtain a list of all runtime application identifiers:


fortifyclient -url <SSC_URL> -user <AccountName> -password <Password> listRuntimeApplications

where


<AccountName> represents the user name for a Manager, Security Lead, or Administrator account with access to the Software Security Center runtime application

<Password> represents the password that corresponds to the <AccountName> specified for the Manager, Security Lead, or Administrator account that has access to the runtime application



Archiving Runtime Events

You can archive the events for a runtime application. This action stores the runtime events in zipped format in the Software Security Center database.

Before you can archive events for a given runtime application, you must use fortifyclient to obtain its numeric identifier. For more information, see "Listing Runtime Applications" on the previous page.

To archive the events for a runtime application:


fortifyclient -url <SSC_URL> -user <AccountName> -password <Password> archiveRuntimeEvents -startDate <mmddyyyy> -endDate <mmddyyyy> -applicationIds <AppID1,AppID2,...>

where


<AccountName> represents the user name for a Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application

<Password> represents the password that corresponds to the <Account_Name> specified for the Manager, Security Lead, or Administrator account with access to the runtime application

<mmddyyyy> represents the date of the first and last runtime events to include in the archive

<AppID1,AppID2,...> represents the numeric identifiers of the runtime applications to archive

About Restored Runtime Events

Software Security Center reassigns all restored events to Runtime Applications on the basis of the Runtime Console’s current set of application assignment rules.

For information about Runtime Console application assignment rules, see the HP Fortify Runtime Application Protection: Java Edition User Guide.



Restoring Runtime Events

To restore an archived set of runtime events:


fortifyclient -url <SSC_URL> -user <Account_Name> -password <Password> restoreRuntimeEventArchive -archiveId <ArchiveID1,ArchiveID2,...>

where


<Account_Name> represents the name associated with the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application

<Password> represents the password that corresponds to the specified <Account_Name>

<ArchiveID1,ArchiveID2,...> represents the numeric identifiers of one or more runtime archives to restore

Listing Runtime Archives

The fortifyclient command-line utility returns a list of numeric archive IDs, runtime application names, start dates, end dates, and restored status values (true or false).

To use fortifyclient to list the runtime event archives contained in the Software Security Center database:


fortifyclient -url <SSC_URL> -user <Account_Name> -password <Password> listRuntimeEventArchives

where


<Account_Name>

represents the name of the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application




Uploading a Source Archive to a Project

To upload a source archive to a project:


fortifyclient -url <SSC_URL> uploadSource -file <fsa> <Project_Name> -version <Project_Version>

where


<fsa> represents the name of the source file to upload

<Project_Name>


<Project_Version>

represents the Software Security Center project version that corresponds to the named project

Downloading Runtime Event Archive Files

Follow the instructions in this topic to download a zipped runtime event archive file. You can extract the file to see the events that it contains.

To download a runtime event archive file:


fortifyclient -url <SSC_URL> -user <Account_Name> -password <Password> downloadRuntimeEventArchive -file <Destination_File> -archiveId <Archive_Id>

where


<Account_Name> represents the name associated with the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application


<Destination_File>

represents the full path for the downloaded RTA file



<Archive_Id> represents the id of the event archive file



Chapter 11: Upgrading Software Security Center

To upgrade Software Security Center, you must have Software Security Center version 2.65 or later installed. If you have an earlier version, see the 2.65 version of the HP Fortify Software Security Center Installation and Configuration Guide for instructions on how to upgrade to release 2.65, and then use the instructions in this section to upgrade to the latest Software Security Center version. If you are upgrading from a Software Security Center version earlier than 2.5, contact HP Fortify Technical Support (https://support.fortify.com).

Upgrade the Software Security Center database by performing the tasks described in the following table:

Task Description Instructions

1 Prepare for the database upgrade. "Preparing for the Software Security Center Database Upgrade" below

2 Configure core Software Security Center server properties and database settings.

"About Configuring Connectivity to an Upgraded Database" on the next page

3 Generate the migration SQL and run the migration SQL script on the database.

"About Running Software Security Center Database Upgrade Scripts" on the next page

4 Reseed the database. "About Reseeding the Upgraded Database" on page 111

5 Undeploy the currently deployed war file. See the documentation for your application server.

6 Deploy the new war file. "Updating and Deploying the WAR File" on page 113

7 Update expired licenses "Updating Expired Licenses" on page 113

Preparing for the Software Security Center Database Upgrade

The Software Security Center database migration process creates larger transactions than those created during regular use. For Software Security Center databases that have been successfully run in production environments, database migration does not typically require changes to your database configuration or resources. For large databases, HP recommends that you review and, if necessary, increase the database resources and settings required to accommodate the migration process.

If you are upgrading a MySQL database, see "Setting the Innodb Buffer Pool Size when Upgrading the MySQL Server Database" on the next page.



Setting the Innodb Buffer Pool Size when Upgrading the MySQL Server Database

If you are upgrading a MySQL database, HP recommends that you set the innodb_buffer_pool_size variable to at least 2GB. After the upgrade, revert to your previous setting.

For information about how to configure MySQL for use with Software Security Center, see "Configuring a MySQL Database" on page 25.

About Configuring Connectivity to an Upgraded Database

When Software Security Center was deployed, the Software Security Center Configuration Tool was used to specify the connection parameters that Software Security Center requires to work with the third-party database. To upgrade Software Security Center, you use the same configuration tool to specify the database connection parameters for the Software Security Center WAR file (ssc.war).

For information about how to configure Software Security Center database connectivity using the configuration tool, see "About Setting Up the Database" on page 36.

About Running Software Security Center Database Upgrade Scripts

Topics in this section describe the tasks you need to perform before you run the database upgrade script and the instructions for generating and running the database migration script.


• Preparing to Run the Database Upgrade Script 109• Generating and Running the Database Migration Script 110

Preparing to Run the Database Upgrade Script

The Software Security Center database upgrade scripts require the same database privileges that the database creation scripts require.

Before you run the database upgrade script, perform the following tasks:

l Back up your existing Software Security Center database using your database client tool. l Acquire the database account information that was used to create the existing Software Security

Center database. See "About Database User Account Privileges" on page 23.See Next

"Generating and Running the Database Migration Script" on the next page

Installation and Configuration GuideChapter 11: Upgrading Software Security Center


Generating and Running the Database Migration Script

To upgrade your existing database for use with Software Security Center:


2. At the top of the Welcome page, click Database Setup. 3. Make sure that the database user credentials specified in the Database Username and Database


4. Click Test JDBC. (See "Testing the JDBC Connection" on page 40.) 5. When you are sure that the database connection works correctly, click Generate Migration SQL.

The Generate Migration SQL dialog box opens.

6. Copy the database migration script from the sub-directory that matches your Software Security Center database type to the database server or other location from which you plan to run the scripts.

7. Log on to the database account using the account that contains the privileges required to execute the migration scripts. These privileges are described in "About Database User Account Privileges" on page 23.

8. Run the SQL migration script that you generated earlier when you clicked Generate Migration SQL.If an error occurs, contact HP Fortify Technical Support (https://support.fortify.com).

9. Keep a record of the output. See Next

"About Reseeding the Upgraded Database" on the next page




About Reseeding the Upgraded Database

After you upgrade your existing Software Security Center Server database, you must use the Software Security Center Configuration Tool to seed the upgraded database with the latest seed bundles. At a minimum, this means reseeding the Software Security Center database with the process templates and seed bundles. For information about the files you use to seed a Software Security Center database, see "About Seeding the Software Security Center Database" on page 41.

If you added the optional PCI Basic Bundle to your database, you must reseed with the Software Security Center version of the PCI Basic Bundle.

After you have reseeded the database, update and deploy the WAR file. For instructions, see "Updating and Deploying the WAR File" on page 113.


• Reseeding the Upgraded Database 111• Troubleshooting an Error Received While Seeding an IBM DB2 Database 112

Reseeding the Upgraded Database

To reseed the upgraded Software Security Center database:

Note: If you encounter an error while seeding a DB2 database, see "Troubleshooting an Error Received While Seeding an IBM DB2 Database" on the next page.


2. At the top of the Welcome page, click Database Setup. 3. If you have not tested the JDBC connection, test it now. (See "Testing the JDBC Connection" on

page 40.) 4. Make sure that the database user credentials specified in the Database Username and Database


5. To seed the Software Security Center database with the default process templates: a. Click Seed Process Templates.

The Locate Process Template configuration file dialog box opens. b. Browse to the process templates seed bundle file (HP_Fortify_Process_Seed_Bundle_

2015_Q1.zip), and click Open. 6. To seed the Software Security Center database with the default set of reports:

a. Click Seed Reports.The Locate Report configuration file dialog box opens.

b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2015_Q1.zip), and click Open.



7. (Optional) To seed the Software Security Center database with the optional PCI Basic Bundle: a. Click Seed Reports.

The Locate Report configuration file dialog box opens. b. Select the PCI Basic seed bundle file (HP_Fortify_PCI_3.0_Basic_Seed_Bundle_2015_

Q1.zip), and click Open. 8. If you have not done so already, check to make sure that the other pages in the configuration tool

are configured correctly. 9. Validate the database (see "Validating the Database (Optional)" on page 42. If an error occurs, see

"Troubleshooting Database Migration Problems" on page 114. 10. On the Finish page, click Save and Finish.

Your changes are saved and the configuration tool closes.

Note: If you are migrating the database from a version of Software Security Center older than 4.30, you can move additional values from the earlier version of the Software Security Center WAR file into the database. If you choose not to do this, you can manually enter these values on the Software Security Center Administration page. For instructions, see "Moving Software Security Center Property Values from an Imported WAR File into the Database" on page 43.

See Next

"Updating and Deploying the WAR File" on the next page

See Also

"Troubleshooting an Error Received While Seeding an IBM DB2 Database" below

"Troubleshooting Database Migration Problems" on page 114

Troubleshooting an Error Received While Seeding an IBM DB2 Database

If you encounter an error while reseeding a DB2 database after an upgrade, your database is probably not large enough to process your SQL requests. To remedy this, increase the transaction log size.

To increase the transaction log size:

1. Stop the DB2 server. 2. Start the DB2 Command Editor, and then run the following commands:

UPDATE DATABASE CONFIGURATION FOR DATABASE_NAME USING LOGFILSIZ 100000;

UPDATE DATABASE CONFIGURATION FOR DATABASE_NAME USING LOGPRIMARY 120;

UPDATE DATABASE CONFIGURATION FOR DATABASE_NAME USING LOGSECOND 120;

3. Restart the DB2 server. 4. Reseed the database.

If reseeding fails, reset LOGFILSIZ to a higher value. (On Windows systems, the maximum is 260000.)



See Next

"Updating and Deploying the WAR File" below

See Also

"Troubleshooting Database Migration Problems" on the next page

Updating and Deploying the WAR File

To update the ssc.war file:

1. Undeploy the currently deployed war file. For instructions, see the documentation for your application server.

2. If you have not done so already, check to make sure that the settings on the Configuration Tool pages are configured correctly. (See "Configuring Software Security Center with the Configuration Tool" on page 32.)

3. Deploy the new ssc.war file. (See "Deploying Software Security Center in an Application Server" on page 51.)

After you have deployed the WAR file, complete the configuration tasks on the Administration page in Software Security Center. For information and instructions, see "Completing the Configuration of Software Security Center" on page 67.

Updating Expired Licenses

Software Security Center licenses expire annually. You can get your updated license from the Fortify Customer Portal.

To update an expired Software Security Center license:

1. Log on to the Fortify Customer Portal (https://support.fortify.com).If you do not have an account, send an email to Fortify Technical Support ([email protected]).If you encounter a problem logging into your account, send an email to Fortify Technical Support with “Portal Access” as the subject.

2. After you log onto the Customer Portal, at the top of the page, click the My Licenses tab.The Download Licenses page lists all licenses with current maintenance agreements. If you do not see your license, email Fortify Technical Support with “Maintenance Renewal Verification” as the subject. If your maintenance agreement was recently renewed, the Download Licenses page might not yet reflect this.

3. Click the link for the license you want to use.The license is downloaded automatically to your machine.

4. Go to the HP-Fortify-Server-WAR directory and run the ssc-configuration-wizard.jar utility. 5. Browse to and select the new fortify.license file. 6. Save and then exit the ssc-configuration-wizard.jar utility. (This saves the new license in

the ssc.war file.)




7. Redeploy the newly configured ssc.war file in the application server.For Tomcat, you redeploy the ssc.war file either through the Tomcat Manager console or manually, as follows: a. Stop Tomcat (if it is running). b. In the \webapps directory of Tomcat, move the existing ssc.war file to a different location as a

backup. c. Delete the \ssc folder. d. Copy the newly configured ssc.war file into the \webapps directory. e. Restart Tomcat.For other application servers, refer to the application server documentation for instructions.

8. Log on to Software Security Center. 9. Make sure that everything functions correctly.

Troubleshooting Database Migration Problems

When you are using the Software Security Center Configuration Tool and you click Validate Database, the tool checks to see whether or not the database upgrade completed successfully. If the Software Security Center configuration tool detects an error in the upgraded database, it displays the message Database Validation Failed or you have unmigrated process templates.

Seeding error messages are formatted as follows:

ERROR yyyy-mm-dd hh:mm:ss,nnn[com.fortify.manager.DAL.impl.GlobalSeedManagerImpl] - Process template[templateName]is not migrated. Please seed the new seed bundle with thistemplate, or update the template through process template designer.

If a database validation error message occurs, navigate to the <SSC_Deploy>/logs directory, open the ssc-configuration.log file in a text editor, and look for the cause of the error.

If you can use the information in ssc-configuration.log to correct the error, reseed the database with the version 4.30 seed bundles. If you cannot use the information in ssc-configuration.log to correct the error, contact HP Fortify Technical Support (https://support.fortify.com) for assistance.




Chapter 12: Performing HP Fortify Static Code Analyzer Suite Upgrades from HP Fortify Audit Workbench

An HP Fortify Audit Workbench user can check on the availability of new HP Fortify Static Code Analyzer (SCA) and associated GUI tools versions from the Audit Workbench user interface. If a version newer than the one installed is available, the user can download it and upgrade the local instance. An Audit Workbench user can also configure Audit Workbench to check for, download, and install new versions automatically at startup.

To enable this functionality for Audit Workbench users, a Software Security Center administrator must first set up the auto upgrade capability on the Software Security Center host machine.

For information about how to upgrade Static Code Analyzer and its associated GUI tools from Audit Workbench, see the HP Fortify Audit Workbench User’s Guide.

See Also

"Enabling HP Fortify SCA Suite Upgrades from HP Fortify Audit Workbench" below

Enabling HP Fortify SCA Suite Upgrades from HP Fortify Audit Workbench

To make new Static Code Analyzer suite installers available to Audit Workbench users for upgrades:

1. On the Software Security Center host, navigate to the <SSC_Install>/WEB-INF/internal directory and open the securityContext.xml file in a text editor.

Note: <SSC_Install> is the directory in which Software Security Center was deployed. For example, for Tomcat, the <SSC_Install> directory is <tomcat>/webapps/ssc.

2. Locate and uncomment the following line:



3. Save and close the securityContext.xml file. 4. Navigate to the <SSC_Install>/update-site/installers directory. 5. Open and read the readme.txt file. 6. In the readme.txt file, copy the sample update.xml file content (between and including the

<installerInformation> and </installerInformation> tags). 7. Create a new text file and paste the copied text into it. 8. Update the version information for the installers to reflect your installation. For example:

<filename>HP_Fortify_SCA_and_Apps_4.30_windows_ x64.exe</filename>


9. Under the <downloadLocationList> tag, update the URL information to reflect your Software Security Center installation. For example:

<url>http://localhost:8080/ssc/update-site/ installers/</url>

10. Name this file update.xml and save it to the <SSC_Install>/update-site/installers directory.

11. Restart the application server. 12. After you get a new SCA and Apps installer file (HP_Fortify_SCA_and_Apps_<version>_<OS>),

do the following: a. Copy the new installer file to the <SSC_Install>/update-site/installers directory. b. Open the update.xml file in a text editor. c. Between the versionId tags, type the version ID for the new installer. (The version ID is the

version number without the periods.)

Check to make sure that the <versionId> tag value matches the SCA version in the installer. d. Save the edited update.xml file.

Audit Workbench users can now check and install new Static Code Analyzer versions.

Note: The BitRock InstallBuilder tool used for the auto upgrade functionality supports only one Windows tag. If you have different versions of Windows, you must have corresponding configuration files for those versions. For information about how to create the additional configuration files, see the readme.txt file located in the <SSC_Install>/update-site/installers directory.

Installation and Configuration GuideChapter 12: Performing HP Fortify Static Code Analyzer Suite Upgrades from HP Fortify Audit Workbench


Appendix A: Running the Configuration Tool from the Command Line

The Software Security Center Configuration Tool is used to configure Software Security Center before deployment. You can use the configuration tool in interactive mode (using its GUI) or from the command line, for automation purposes.

To use the configuration tool from the command line, do the following:

1. Extract the following properties files from the <SSC_Install>/WEB-INF/config/ directory to your file system: l ssc.properties

l datasource.properties

l ldap.properties

2. Modify the properties files, as necessary. 3. After setting the properties in the properties files, you invoke the configuration tool over the

command line.

Caution: The configuration tool can execute bundle files only if the ssc.war file was previously configured with a JDBC driver. To configure the JDBC driver and run bundle files, you should run the configuration tool twice: Once for the JDBC driver (and everything else but bundles), and then a second time for bundles. This is required because bundles contain seed data for the database. If the database and JDBC driver are not setup and applied first, the system cannot connect and write to the database.

The parameters db.username and db.password in dataSource.properties must be in plain, not encoded, form.

For example:Initial Configuration

java -jar ssc-configuration-wizard.jar -automationMode -war ssc.war -jdbcDriver mysql-connector-java-5.1.11-bin.jar -license fortify.license -loadfrom dataSource.properties -loadfrom ssc.properties

Bundle Execution

java -jar ssc-configuration-wizard.jar -automationMode -war ssc.war -bundle MyBundle.zip -bundle MyBundle2.zip


Flags

Flag DescriptionAutomation Mode Only

.automationMode This flag is required if you are running the configuration tool in non-interactive mode.

No

-war [war file] The path to the ssc.war file that you are configuring. Yes

-jdbcDriver [jdbc driver file]

The path to the JDBC driver file that will be embedded in the ssc.war file.

Yes

-license [license file]

The path to the HP Fortify license file (fortify.license) that will be embedded in the ssc.war file.

Yes

-loadfrom [properties file]

The path to the properties file from which values should be loaded into the ssc.war file automatically.

To include several property files, add additional -loadfrom flags.

The names of the property files are predefined:

l All Core properties should be located inside the ssc.properties file.

l All Database properties should be located inside the dataSource.properties file.

l All LDAP properties should be located inside ldap.properties file.

Default properties are used for attributes for which a properties file is not provided.

Yes

-bundle [bundle file]

The path to the bundle files that are to be executed against the database. You can include several bundles by adding additional -bundle flags.

Yes

Installation and Configuration GuideAppendix A: Running the Configuration Tool from the Command Line


Appendix B: LDAP Properties File Parameters

The ldap.properties file contains parameters for a single specific LDAP server. The LDAP server parameters are listed in the following table.

Parameter Default Name

LDAP Server Usage Flag ldap.enabled

Cache Usage Flag ldap.cache

URL ldap.url

Base Domain Name ldap.base.dn

LDAP User Name ldap.user.dn

LDAP Password ldap.user.password

Search Domain Name ldap.search.dns

User Class ldap.class.user

User Name ldap.attribute.username

First Name ldap.attribute.firstname

Last Name ldap.attribute.lastname

E-mail ldap.attribute.email

Group Class ldap.class.group

Group Name ldap.attribute.groupname

Group Member ldap.attribute.member

Org Unit Name ldap.attribute.orgunitname

Org Unit Class ldap.class.orgunit

Object Class ldap.attribute.objectclass

Distinguished name ldap.attribute.distinguishedname

Nested Group Usage Flag ldap.nestedgroups

Max Thread Number ldap.cache.max.threads.per.cache

Pool Size ldap.cache.executor.pool.size

Max Pool Size ldap.cache.executor.pool.size.max


Appendix C: Configuring Software Security Center to Use Multiple LDAP Servers

If you want to use multiple LDAP servers, you must configure the first LDAP server using the procedure described in "Configuring the LDAP Server Properties" on page 43, and then configure the rest manually. The steps in the following topics describe how to manually configure Software Security Center for additional LDAP servers.

The following steps describe configuration of a second LDAP server. (In the example code, server-2 represents the unique suffix for the second LDAP server.) You can use these same steps to configure additional LDAP servers.

To configure Software Security Center to use a second LDAP server:

1. Create a new LDAP properties file and name it ldap<unique_suffix>.properties.The unique suffix could include the LDAP server name. It must not include spaces. For example:

ldap_server-2.properties

2. Specify LDAP server parameters in the ldap<unique_suffix>.properties file.You must specify unique names for the properties for each specific LDAP server. A simple way to do this is to use a unique suffix in the LDAP properties file name.For example:

ldap.enabled_server-2 = false

ldap.cache_server-2 = true

3. Move the ldap<unique_suffix>.properties file to the <SSC_Install>\WEB-INF\Core\config directory.

4. Go to the <SSC_Install>\WEB-INF\internal directory and open the coreContext.xml file in a text editor.

5. To the propertyConfigurer Spring bean, add a link to the ldap<unique_suffix>.properties file, as follows:

<bean id="propertyConfigurer" class="org.springframework. beans.factory.config.PropertyPlaceholderConfigurer">

<property name="locations">

<list>

<value>/WEB-INF/config/ldap.properties</value>

<value>/WEB-INF/config/ldap_server-2.properties</value>

<value>/WEB-INF/config/cas.properties</value>


<value>/WEB-INF/config/sso.properties</value>

<value>/WEB-INF/config/ssc.properties</value>

<value>/WEB-INF/config/jms.properties</value>

<value>/WEB-INF/config/fm-ws.properties</value>

<value>/WEB-INF/config/scheduler.properties</value>

<value>/WEB-INF/config/email.properties</value>

<value>/WEB-INF/config/rta.properties</value>

<value>/WEB-INF/config/cloudscan.properties</value>

</list>

</property>

</bean>

6. The ldapContext.xml file contains descriptions of the aggregation system components used to communicate with all LDAP servers. An ldapContext<unique_suffix>.xml file contains descriptions of components used to communicate with a specific LDAP server.

Create an ldapContext<unique_suffix>.xml file. The unique suffix can include the LDAP server name. It must not include spaces. For example:

ldapContext_server-2.xml

7. Edit the ldapContext<unique_suffix>.xml file using the unique suffix, as shown in the following example:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/20_server-2/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans.xsd">



<bean id="ldapDirectoryConfig_server-2" class="com.fortify.manager.service.ldap.LdapDirectoryConfig">

<property name="url" value="${ldap.url_server-2}"/>

<property name="userDn" value="${ldap.user.dn_server-2}"/>

<property name="password" value="${ldap.user.password_server-2}"/>

<property name="nestedGroupsEnabled" value="${ldap.nestedgroups_server-2}"/>

<property name="enabled" value="${ldap.enabled_server-2}"/>

Installation and Configuration GuideAppendix C: Configuring Software Security Center to Use Multiple LDAP Servers


<property name="baseDN" value="${ldap.base.dn_server-2}"/>

<property name="searchDNsStr" value="${ldap.search.dns_server-2}"/>

<property name="distinguishedNameAttribute" value="${ldap.attribute.distinguishedname_server-2}"/>

<property name="objectSidAttribute" value="${ldap.attribute.objectSid-2}"/>

<property name="baseObjectSid" value="${ldap.base.object.sid-2}"/>

<property name="orgUnitObjectClass" value="${ldap.class.orgunit_server-2}"/>

<property name="orgUnitNameAttribute" value="${ldap.attribute.orgunitname_server-2}"/>

<property name="groupObjectClass" value="${ldap.class.group_server-2}"/>

<property name="groupNameAttribute" value="${ldap.attribute.groupname_server-2}"/>

<property name="groupMemberAttribute" value="${ldap.attribute.member _server-2}"/>

<property name="userObjectClass" value="${ldap.class.user_server-2}"/>

<property name="usernameAttribute" value="${ldap.attribute.username_server-2}"/>

<property name="useCache" value="${ldap.cache_server-2}"/>

<property name="firstNameAttribute" value="${ldap.attribute.firstname _server-2}"/>

<property name="lastNameAttribute" value="${ldap.attribute.lastname_server-2}"/

<property name="emailAttribute" value="${ldap.attribute.email_server-2}"/>

<property name="objectClassAttribute" value="${ldap.attribute.objectclass_server-2}"/>

<property name="searchScope" value="#{T(javax.naming.directory.SearchControls).SUBTREE_SCOPE}"/>

<property name="validationTimeLimit" value="${ldap.validation.timeLimit-2}"/>

<property name="validationIdleTime" value="${ldap.validation.idleTime-2}"/>

<property name="pagingEnabled" value="${ldap.paging.enabled-2}"/>

<property name="ldapPageSize" value="${ldap.pageSize-2}"/>



<property name="ignorePartialResultException" value="true"/>

</bean>

<bean id="initialDirContextFactory_server-2" class="com.fortify.manager.security.ldap.FmInitialDirContextFactory">

<constructor-arg ref="ldapDirectoryConfig_server-2"/>

<property name="baseEnvironmentProperties" ref="ldapContextEnvironment"/>

<property name="productService" ref="productServiceImpl"/>

</bean>

<bean id="ldapTemplate_server-2" class="org.springframework.ldap.core.LdapTemplate">

<property name="contextSource">

<bean class="com.fortify.manager.security.ldap.FmLdapContextSource">

<property name="ldapDirectoryConfig" ref="ldapDirectoryConfig_server-2"/>

<property name="baseEnvironmentProperties" ref="ldapContextEnvironment"/>

<property name="productService" ref="productServiceImpl"/>

</bean>

</property>

<property name="ignorePartialResultException" value="true"/>

</bean>

<bean id="ldapService_server-2" class="com.fortify.manager.service.ldap.impl.LdapServiceImpl">


<property name="ldapTemplate" ref="ldapTemplate_server-2"/>

<property name="ldapObjectSource" ref="ldapObjectSource_server-2"/>

<property name="cachedLdapObjectSource">

<bean class="com.fortify.manager.service.ldap.impl.CachedLdapObjectSource">




<property name="ldapCacheManager" ref="ldapCacheManager_server-2"/>

</bean>

</property>

</bean>

<bean id="bindAuthenticator_server-2"

class="org.springframework.security.ldap.authentication.BindAuthenticator">

<constructor-arg ref="initialDirContextFactory_server-2"/>

<property name="userSearch" ref="ldapService_server-2"/>

</bean>

<bean id="fmLdapAuthenticationProvider_server-2"

class="com.fortify.manager.web.security.auth. FMLdapAuthenticationProvider">

<constructor-arg ref="bindAuthenticator_server-2"/>

<property name="userDetailsContextMapper" ref="fmLdapUserDetailsMapper"/>

<property name="enabled" value="${ldap.enabled_server-2}"/>

</bean>

<bean id="ldapObjectSource_server-2"

class="com.fortify.manager.service.ldap.impl.DirectLdapObjectSource">

<property name="ldapTemplate" ref="ldapTemplate_server-2"/>


</bean>

<bean id="ldapCacheManager_server-2"

class="com.fortify.manager.service.ldap.impl.LdapCacheManagerImpl">

<property name="ldapCacheFactory" ref="ldapCacheFactory"/>

<property name="ldapCacheTaskFactory">



<bean class="com.fortify.manager.service.ldap.impl.LdapCacheTaskFactoryImpl">



</bean>

</property>

<property name="maxThreadsPerCache" value="${ldap.cache.max.threads.per.cache_server-2}"/>

</bean>

</beans>

8. Check to make sure that the names of all beans and parameters are correct and unique for both the ldapcontext.xml file and the ldapContext<unique_suffix>.xml file.

9. Check to make sure that the LdapDirectoryConfig attributes are correctly mapped to the ldap.properties parameters.

10. In the web.xml file, add a link to the ldapContext<unique_suffix>.xml file.For example:

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>

/WEB-INF/internal/dataSourceContext.xml

/WEB-INF/internal/coreContext.xml

/WEB-INF/internal/dataContext.xml

/WEB-INF/internal/hibernateTransactionContext.xml

/WEB-INF/internal/applicationContext.xml

/WEB-INF/internal/serviceContext.xml

/WEB-INF/internal/ldapContext.xml

/WEB-INF/internal/ldapContext01.xml

/WEB-INF/internal/ldapContext_server-2.xml

/WEB-INF/internal/securityContext.xml

/WEB-INF/internal/securityInterceptorsContext.xml

/WEB-INF/internal/endpoint.xml



/WEB-INF/internal/serverContext.xml

/WEB-INF/internal/flexContext.xml

/WEB-INF/internal/cloudCtrlClientContext.xml

/WEB-INF/internal/eventContext.xml

/WEB-INF/internal/schedulerContext.xml

</param-value>

</context-param>

11. Update ldapService and fmLdapAuthenticationProvider bean definitions in the ldapContext.xml file by adding the links to the ldapService_server-2 and fmLdapAuthenticationProvider_server-2 objects.

12. Restart Software Security Center.



Appendix D: Authoring Software Security Center Bug Tracker Plugins

Software Security Center supports integration with external bug tracking systems. This integration allows Software Security Center users to log bugs for issues while auditing them in the Collaboration Module. As delivered, the system is already capable of integrating with JIRA, Bugzilla, and ALM. (For specific versions supported, see the Software Security Center System Requirements document.) If your company uses a different bug-tracking system, you can author a new plugin for it. This section provides information about how to author and deploy a new bug-tracking plugin.

Note: In this guide, the Software Security Center Configuration Tool, and Software Security Center, the terms bug and defect are used interchangeably. Defect is most commonly used in the description of the Defect Tracker Plugins page in the Software Security Center Configuration Tool. In most other locations, the term bug is used.

Important: HP strongly recommends that you inspect the delivered plugin samples before you author your own plugin. You can find the samples in the following directory:

<SSC_Deploy>/Samples/BugTrackerplugin/<BugTrackerPlugin_Name>


• Use Case 127• Project Setup 128• Implementation 128• Plugin Methods and Method Calls 129• Plugin Helper 131• Error Handling 131• Almost Stateless 131• Debugging Bug-Tracker Plugin 132• Deploying a Bug Tracker Plugin 132

Use Case

You (the Software Security Center administrator) can configure an external bug-tracking system to use with a given Software Security Center project version, as described in "About Bug Tracker Integration" on page 80. Software Security Center displays the required configuration parameter fields for the bug tracker you select, and you set the values for these just one time for the project version. After you test the bug-tracker configuration parameter values for validity (optional), you save them to the database for use whenever a user logs a defect for the project version.

A user who submits a bug against a project version logs on to the bug-tracker, and then completes the required fields that the bug tracker supplies for the bug parameters. Required parameter information can include such items as summary, description, severity level, component, and so on.


The plugin framework supports a dynamic aspect to bug-tracking parameters. Whenever a user changes a parameter value, the plugin detects the change and an updated list of bug parameters with new list selections becomes available.

When a bug is filed, the bug ID is saved in the database against the issue. The user can then navigate to the bug using an external bug link, which the plugin supplies.

The credentials accepted from the user filing bug filing are saved in the server session, and are reused for bugs subsequently submitted against the project during the same session.

Project Setup

The bug tracker plugin can be an independent project that you can write using your preferred IDE.

Configure a bug tracker plugin project with the following dependencies:

l fortify-public-4.3.jar (required) l Apache Commons Logging (optional) l Apache Commons Lang (optional) l Any other API jar that does not conflict with libraries already packaged with ssc.warYou can use your preferred build system to build your project distributable.

Implementation

All plugins must implement the com.fortify.pub.bugtracker.plugin.BugTrackerPlugin interface. HP strongly recommends that your implementation class extend com.fortify.pub.bugtracker.plugin.AbstractBugTrackerPlugin so that you can take advantage of any backward-compatibility support that becomes available in future releases. Additionally, you must annotate the implementation class with @BugTrackerPluginImplementation. During runtime, Software Security Center scans its binaries to identify all classes marked with this annotation and loads them as plugins.

The BugTrackerplugin interface is as follows:

public interface BugTrackerPlugin {

public boolean requiresAuthentication();

public List<BugTrackerConfig> getConfiguration();

public void setConfiguration(Map<String, String> configuration);

public void testConfiguration(UserAuthenticationStore credentials);

public String getShortDisplayName();

public String getLongDisplayName();

public List<BugParam> getBugParameters(IssueDetail issueDetail,

UserAuthenticationStore credentials);

public List<BugParam> onParameterChange(IssueDetail issueDetail,

Installation and Configuration GuideAppendix D: Authoring Software Security Center Bug Tracker Plugins


String changedParamIdentifier, List<BugParam> currentValues,

UserAuthenticationStore credentials);

public Bug fileBug(BugSubmission bug, UserAuthenticationStore credentials);

public void validateCredentials(UserAuthenticationStore credentials);

public Bug fetchBugDetails(String bugId, UserAuthenticationStorecredentials);

public String getBugDeepLink(String bugId);

}

Plugin Methods and Method Calls

The following table lists the methods and calls to use with your plugin.

Method or Call Description

requiresAuthentication This method is expected to return true if it requires the framework to request credentials from the user for any bug-tracking operation. This almost always returns true, except in cases where the plugin gets its credentials using a different mechanism, perhaps from the credential store or if the plugin interacts with the bug-tracking system asynchronously and not in real time. If the method returns false, the system passes null for all the UserAuthenticationStore parameters of the plugin methods.

getConfiguration The plugin framework uses the getConfiguration method to get metadata about the questions to be presented to the user during plugin configuration. The return value is a list of BugTrackerConfig objects that provide required information about the configuration item. Each item corresponds to a text box in the user interface. The value field of each item is used to specify the default value for the text box.

setConfiguration (call) After you select the bug-tracking system for the project version and save the configuration to the database, all future interactions with the plugin are preceded by the setConfiguration call, which sets the configuration for the plugin using which operations are to be carried out.

testConfiguration (call)

The plugin framework uses the testConfiguration call to test the configuration previously set using the setConfiguration call. This method is expected to hit the bug-tracking system using the configuration details set and validate them to the fullest extent possible. The user credentials are fetched from the user if this plugin declared that it requires authentication.

getShortDisplayName The getShortDisplayName method is used to return a short display name for the plugin. This string is used to populate the list of available bug tracker plugins.

getLongDisplayName The getLongDisplayName method is used to return a value that includes additional identification of the bug tracking system obtained from the




configuration. This method is used, for example, when the user is prompted to provide credentials for a bug-tracking system.

getBugParameters The getBugParameters method returns metadata about the bug parameters to present to users. Software Security Center supports the following three bug parameter types:

l BugParamText translates to a text box. l BugParamTextArea translates to a multiple-line text box and is typically

used for bug descriptions. l BugParamChoice translates to a list. l The issueDetail object encompasses the details of the issue for which

the user is attempting to log a bug. This defaults to various bug parameters such as the description and summary, which can be extracted from this object. The pluginHelper protected member has a helper method to build a suggested default bug description. (See "Plugin Helper" on the next page.)

onParameterChange The plugin framework calls the onParameterChange method whenever the value for a bug parameter marked as hasDependentParams (see BugParamChoice class javadoc) changes. This method can take action and return a new list of bug parameters to display.

Keep the following guidelines in mind:

l Act on each bug parameter that has dependent parameters l Do not forget handling case when parameter value changes to null (no

selection made) l Do not forget to set the parameter value in a return list to null when its

selections change l Before you add a new parameter, check the return list to make sure that

it does not already include the parameter l Return null if there is no change l Use one of the following strategies:

l Modify the currentValues parameter and return it

l Construct the return value from raw parameters maintained. Set values and choice lists before returning.

fileBug This method files a bug on the external bug-tracking system. The BugSubmission object passed encompasses all bug details.

Make sure that you correctly differentiate between the bug.getIssueDetail() object and the bug.getParams()object. The bug.getIssueDetail() object returns details of the issue, whereas the bug.getParams() object returns the bug parameter values that the user provides.




If you added Bug Description as a user-editable bug parameter, then fetch the bug description from the bug.getParams() object instead of from the bug.getIssueDetail()object. The return value of the fileBug object must be a bugId, which can be used to fetch the bug with the fetchBug method and formulate the deep link with the getBugDeepLink method.

Use fields in BugSubmission.getIssueDetail(), namely getLastBuildWithoutIssue(), getDetectedInBuild(), and getFileName() to perform changeset discovery if you have access to your repository.

fetchBug This method is used to fetch the current bug status.

getBugDeepLink This method is used to formulate a deep link to the bug. If the bug tracker does not support a deep link, return null.

For a detailed explanation of each parameter and other supporting classes, see the public API javadoc.

Plugin Helper

If your bug tracker plugin class extended from the class AbstractBugTrackerPlugin provided, you will find a protected member BugTrackerPluginHelper available. This helper object can be used to perform frequently used plugin operations for building bug descriptions, locating parameters, loading default values and so on. Please consult the javadoc for more details. Also look at its usage in the plugin samples.

Error Handling

For proper error handling and reporting, use the following strategy across all plugin methods to throw exceptions:

l Throw com.fortify.pub.bugtracker.support.BugTrackerException for any error that the user can act on. Example invalid configuration, errors arising from bug tracking system, bug tracking system failing, and so on. The error message with this exception is relayed back to the user and is expected to be user friendly.

l Throw com.fortify.pub.bugtracker.support.BugTrackerAuthenticationException if and only if credentials provided to the bug tracking system are incorrect. This exception results in cached bug tracker credentials being cleared.

l Throw RuntimeException or its subclasses for internal exceptions.

Almost Stateless

As soon as a plugin object is instantiated, the setConfiguration call is made. The only states that should be saved within the plugin are the configuration values provided by this method. From this point on, all plugin calls are expected to be stateless. Plugin instances should not maintain any state or leave



open connections, or try to use connections opened in previous call. Software Security Center does not cache or reuse plugin instances across plugin operations. New states should be opened on each call and cleanup should be done before method exit.

Debugging Bug-Tracker Plugin

Apache Commons logging is supported in plugins. The resulting logs are appended into the file ssc.log located in the application server logs directory. All exceptions are automatically logged. You can also perform remote debugging of your plugin by connecting to your application server from the plugin project within your IDE.

Deploying a Bug Tracker Plugin

To deploy a bug tracker plugin:

1. Build a jar that contains the plugin classes and any of its dependent classes. 2. Prepare the library jar files that your plugin uses and check to make sure that these libraries do

not conflict with the jar files in the ssc.war file. 3. Add the new jar files to Software Security Center using the Defect Tracker Plugins page in the

Software Security Center Configuration Tool. For instructions, see "Configuring the Defect Tracker Plugins" on page 49.

4. Save your changes to the WAR file and deploy it. For instructions, "Completing the Software Security Center Configuration and Deploying the WAR File" on page 50.



Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line:

Feedback on Installation and Configuration Guide (Fortify Software Security Center 4.30)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to [email protected].

We appreciate your feedback!


mailto:[email protected]?subject=Feedback on Installation and Configuration Guide (Fortify Software Security Center 4.30)