HP Fortify SSC Install and Config Guide 3.70

HP Fortify Software Security CenterSoftware Version 3.70

HP Fortify Software Security Center Installation and Configuration Guide

Document Release Date: November 2012Software Release Date: November 2012

Legal Notices

WarrantyThe only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Copyright Notice© Copyright 2012 Hewlett-Packard Development Company, L.P.Documentation UpdatesThe title page of this document contains the following identifying information:• Software version number

• Document release date, which changes each time the document is updated

• Software release date, which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document, go to:http://h20230.www2.hp.com/selfsolve/manualsThis site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to:http://h20229.www2.hp.com/passport-registration.htmlYou will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.Part Number: 1-151-2012-11-370-01

HP Fortify Software Security Center Installation and Configuration Guide iii

ContentsChapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Typographic Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Accessing HP Fortify Software Security Center Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9HP Corporate Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9HP Fortify Assistive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Chapter 2: Securely Deploying Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Overview of Secure Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Securing Access to Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Securing the Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Setting Application Server Attributes to Protect Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Using HTTPS and SSL Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Securing Passwords and User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Managing Computer Services and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Chapter 3: Overview of HP Fortify Software Security Center and its Deployment. . . . . . . . . . . . . . . . . . . . . . 13The Central Role of Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Overview of the Software Security Center Installation Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Overview of Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16High-Level Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Chapter 4: Deploying Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Overview of Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Downloading Software Security Center Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting Up Your Application Server for Software Security Center Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring pragma no-cache on Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Preparing Apache Tomcat for Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Preparing IBM WebSphere for Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Unpacking and Deploying Software Security Center Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Downloading the JDBC Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Installing and Configuring Database Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

HP Fortify Software Security Center Installation and Configuration Guide iv

Creating the Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Database Instance and Privileges Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Database-Specific Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Creating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configuring the Database Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Selecting the JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Seeding the Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Chapter 5: Configuring Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Starting the Software Security Center Configuration Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuration Tool Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring an Eclipse plug-in Update Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Configuring User Account Timeout and Lockout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Configuring a Proxy for Secure Coding Rulepacks Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configuring Email Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Configuring Bug Tracker Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Additional Bug Tracker Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Securing Logon Credentials for Bug-Tracking Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Viewing Previously Logged Bugs in Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Changing the Bug-Tracking System for a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring HP Fortify CloudScan Monitoring and Troubleshooting in Software Security Center . . . . . . . 48Configuring LDAP User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Overview of Software Security Center User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Database-only Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Software Security Center LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Preparing to Configure LDAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Download the JXplorer LDAP Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Create an LDAP Account for use by Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Avoid Conflicts Between Account Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Gather and Record Required Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Configuring LDAP Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Enabling HP Fortify Real-Time Analyzer Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Chapter 6: Logging On and Administering User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deploying Software Security Center in Your Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deploying Software Security Center in Tomcat Application Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deploying Software Security Center in WebLogic Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deploying Software Security Center in JBoss Enterprise Application Platform . . . . . . . . . . . . . . . . . . . . . 55Deploying Software Security Center in WebSphere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

HP Fortify Software Security Center Installation and Configuration Guide v

Starting Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Logging On to Software Security Center for the First Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Overview of Software Security Center User Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Security Lead, Manager, and Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Registering LDAP Entities with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Managing LDAP User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59How Software Security Center Determines Group Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Mapping Software Security Center Roles to LDAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Creating Custom Project Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Chapter 7: Using the fortifyclient Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Requirements for Using fortifyclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Understanding fortifyclient Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Running the fortifyclient Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Specifying the Software Security Center URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Listing fortifyclient Options and Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Acquiring an Upload Authentication Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Listing fortifyclient Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Listing Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Uploading FPRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Downloading FPRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Importing Content Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Archiving and Restoring Runtime Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Listing Runtime Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Archiving Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Listing Runtime Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Restoring Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Chapter 8: Upgrading Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Overview of Upgrading a Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Preparing to Upgrade Your Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71MySQL Server: Setting the Innodb Buffer Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configuring Connectivity to the Upgraded Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Running Software Security Center Database Upgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Preparing to Run the Database Upgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Generating and Running the Database Migration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Re-seeding Your Upgraded Database and Deploying the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Updating the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Troubleshooting Database Migration Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

HP Fortify Software Security Center Installation and Configuration Guide vi

Appendix A: Authoring Software Security Center Bug Tracker plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Project Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Plug-in Methods and Method Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Plug-in Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Almost Stateless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Changeset Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

HP Fortify Software Security Center Installation and Configuration Guide 7

Chapter 1: IntroductionAbout this GuideThis guide is written for users who are responsible for deploying and maintaining HP Fortify Software Security Center. It provides all of the information you need to acquire, install, and configure HP Fortify Software Security Center.This document is intended for users who are moderately knowledgeable about enterprise application development and skilled in enterprise system and database administration. It is written for:• System and instance administrators• Database administrators (DBAs)If you are not installing Software Security Center for the first time, but instead need instructions on how to upgrade from an earlier version, see Chapter 8, Upgrading Software Security Center on page 71.The chapters in this document contain the following information:• Chapter 1 (this chapter) contains information about this guide, its intended audience, summary of the guide contents, and the typographical conventions used. This chapter also provides descriptions of related documents that are important for Software Security Center installation, and where to get these documents. • Chapter 2, Securely Deploying Software Security Center on page 11 describes guidelines for secure Software Security Center deployment.• Chapter 3, Overview of HP Fortify Software Security Center and its Deployment on page 13 provides an overview of the Software Security Center system environment and its components, as well as the high-level tasks for deploying a new Software Security Center instance.• Chapter 4, Deploying Software Security Center on page 18 contains instruction on how to download Software Security Center files, prepare the application server and database, and deploy Software Security Center.• Chapter 5, Configuring Software Security Center on page 36 contains instruction on how to configure Software Security Center.• Chapter 6, Logging On and Administering User Accounts on page 55 provides instructions on how to log on to Software Security Center and set up and manage user accounts.• Chapter 7, Using the fortifyclient Utility on page 62 contains information about the fortifyclient command-line utility, and how you can use it to securely transfer objects such as Fortify project results files and content bundles to and from Software Security Center.• Chapter 8, Upgrading Software Security Center on page 71 provides the information about how to upgrade an existing Software Security Center instance.• Appendix A: Authoring Software Security Center Bug Tracker plug-ins on page 75 describes how to author and deploy a bug-tracking plug-in (in addition to those supplied with Software Security Center software) to use with Software Security Center.


Typographic Conventions Used in This DocumentTable 1 lists the typographic conventions used in this document.Table 1: Typographic conventions used in this document

Convention DescriptionOn the File menu, click Open. In procedure steps, bold indicates controls displayed in the user interface.expr, path • In command lines, italics indicate placeholders for information you supply. • In documentation, italic letters indicate terms that the document uses in specific ways, usually the first time a term occurs in a topic.• Italics can also denote emphasis.ReadOnly, FileName In text and command lines, the use of bold and italic together indicates a named argument.[-l, -p, -c] In command lines, valid options are enclosed between square brackets.{While | Until} In command lines, terms enclosed in braces and separated by a vertical bar indicate a choice among two or more items.You must choose one of the items unless all of the items are enclosed in square brackets.Dim rstCust As ADODB.Recordset In command lines, monospace font indicates code.Copy Code Sub StockSale() . . . End Sub

In code examples, a column of three periods indicates that part of an example has been omitted intentionally.backslash (\) In code examples, the backslash character is used to continue command examples that are too long to fit on a single line.For example:

dd if=/dev/rdsk/c0t1d0s6 \

of=/dev/rst0 bs=10b count=10000On UNIX-based systems, a long line of code is sometimes split onto two lines and indicated with a backslash. At other times, the entire code is on one line.braces { } In code examples, braces indicate required items.Example: .DEFINE {macro1}ellipses (…) In code examples, ellipses indicate an arbitrary number of similar items.Example: CHKVAL fieldname val1 val2 … valN


Related DocumentsThe following documents provide deployment information for system administrators and DBAs:• HP Fortify Software Security Center Server Requirements contains information about the hardware and software requirements and recommendations for Software Security Center. You must review this document before you start to deploy your Software Security Center instance.• HP Fortify Software Security Center Release Notes document provides product information that is not included in the regular documentation set.• What’s New in HP Fortify Software Security Center contains information about features added to Software Security Center since its previous release.• HP Fortify Software Security Center Process Designer User Guide contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.The HP Fortify Software Security Center User Guide provides all Software Security Center users with detailed information about how to use Software Security Center.For information about all of the guides in the Software Security Center documentation suite, see the About HP Fortify Documentation guide.Accessing HP Fortify Software Security Center DocumentationThe HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates.To get the latest versions of these documents, go to the HP Software Product Manuals site (http://h20230.www2.hp.com/selfsolve/manuals). To access this website, you must first set up an HP Passport account.Contacting HP FortifyIf you have questions or comments about any part of this guide, use the HP Fortify contact information provided in the following sections.Technical [email protected] HeadquartersMoffett Towers 1140 Enterprise Way Sunnyvale, CA [email protected] Corporate Websitehttp://www.hpenterprisesecurity.com

http://h20230.www2.hp.com/selfsolve/manuals

http://www.hpenterprisesecurity.com


HP Fortify Assistive TechnologiesIn accordance with Section 508 of the U.S. Rehabilitation Act, HP Fortify Software Security Center, HP Fortify Audit Workbench, HP Fortify Plugin for Eclipse, and HP Fortify Package for Microsoft Visual Studio have been engineered to work with the JAWS screen-reading software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater access to the information therein.For information about how to use JAWS, see the HP Fortify Software Security Center System Requirements document. For additional information or assistance, visit HP Accessibility at: http://www.hp.com/accessibility.

http://www.hp.com/accessibility


Chapter 2: Securely Deploying Software Security Center

Overview of Secure DeploymentThe Software Security Center family of products performs sophisticated analysis of an enterprise’s source code. That analysis results in concise summaries of the security vulnerabilities of that source code.Just as you apply security precautions to analyzed source code, you must also secure access to the Software Security Center analysis products that access that source code. Moreover, the concentrated summarization of security vulnerabilities provided by the Software Security Center family of products may mandate an even higher level of secure deployment.This chapter summarizes some of the ways to securely deploy Software Security Center.Securing Access to FacilitiesSoftware Security Center stores and renders source code of programs it has analyzed, and any issues discovered in those programs, as unencrypted HTML. Because program source code and any detected vulnerabilities it contains offer various opportunities for mishandling or abuse, HP Fortify recommends that administrators deploy Software Security Center in a secure operations facility. You must also secure the underlying Software Security Center file system and restrict access to the Software Security Center installation directory.Securing the Application ServerYou must ensure the operational security of the application server running Software Security Center. At a minimum, configure the application server to use HTTPS in conjunction with an SSL certificate issued by a trusted certificate authority. Also, take any additional steps necessary to secure the application server in your operating environment.Setting Application Server Attributes to Protect Sensitive DataSome application server settings may make the sensitive information in some cookies vulnerable to unnecessary disclosure.To protect sensitive data, HP Fortify recommends that you add the following attributes (flags) for cookies on your application server:• The Secure attribute prevents the cookie from being transmitted on requests that are not protected with SSL or TLS. Use this option to prevent cookies that could disclose sensitive information (for example, session identifiers) from leaking information over insecure channels (such as HTTP). • The HttpOnly attribute prevents the cookie value from being accessed through client-side scripting routines. HP Fortify recommends that you keep this attribute enabled unless the cookie is being read by client-side JavaScript routines.For information about how to set the Secure and HttpOnly attributes, see the documentation for your application server (and version).Using HTTPS and SSL CommunicationsHP Fortify strongly recommends that you configure Software Security Center and HP Fortify client products to use HTTPS and SSL for all communications. When using SSL, HP Fortify does not support deploying Software Security Center to a container that uses self-signed certificates.


Securing Passwords and User RolesAs soon as you finish deploying your Software Security Center instance and you log on for the first time, HP Fortify recommends that you immediately create a new admin account and delete the default admin account. For information about logging on to Software Security Center and deleting the default admin account, see Chapter 6, Logging On and Administering User Accounts on page 55.Software Security Center account security features include:• The ability for administrators to suspend accounts that have become temporarily inactive• The automatic lock-out of accounts on the basis of failed log-on attemptsFor more information about Software Security Center account management, see the HP Fortify Security Center User Guide.If you are using LDAP to authenticate Software Security Center users, configure your LDAP server to use secure LDAP communications. For more information about configuring Software Security Center to use LDAP authentication, see Configuring LDAP User Authentication on page 49.Managing Computer Services and AccountsWhen you install Software Security Center, configure it as a service running under a least-privileged user account. Also, because Software Security Center temporarily stores files that are uploaded from a user account to the computer’s file system, you should always install and run an updated anti-virus software on the machine on which Software Security Center is running.


Chapter 3: Overview of HP Fortify Software Security Center and its Deployment

The Central Role of Software Security CenterSoftware Security Center provides a centralized management and analysis facility for project data gathered and processed using HP Fortify analysis products and tools (Static Code Analyzer, SecurityScope, HP Fortify Real-Time Analyzer, and Audit Workbench) across the complete Secure Development Lifecycle (SDL). To provide that centralized management, Software Security Center interoperates with the following external components:• Required components• Third-party application server • Third-party database • HP Fortify Rulepack server• Optional components• Third-party LDAP authentication server • Defect-tracking system • SMTP email server • One or more HP Fortify analysis agents and tools


Overview of the Software Security Center Installation EnvironmentFigure 1 illustrates the relationship of Software Security Center to the required and optional components listed in the previous section.Figure 1: Relationship of Software Security Center to required and optional components

Table 2 provides descriptions of the components illustrated in Figure 1.Table 2: Required and optional Software Security Center installation entities

ID DescriptionS1 Software Security CenterHP Fortify delivers Software Security Center as a Web Archive (WAR) file run by a web application server (A1).D1 Required third-party Software Security Center databaseStores user and artifact dataBefore putting the Software Security Center into production, you must install a supported third-party database.


Software Security Center installation requires not only the configuration of Software Security Center to interoperate with the external components shown in Figure 1, but also configuration of the external components to interoperate with Software Security Center.

A1 Application serverSoftware Security Center (S1) is delivered as a Web ARchive (WAR) file, and is run by a web application server.A2 Optional third-party LDAP authentication serverYou can configure Software Security Center to use LDAP authentication.A3 Optional defect-tracking serverSoftware Security Center can be configured to enable bugs to be submitted to a Bugzilla, JIRA, or ALM bug-tracking system directly from Collaboration Module.A4 Optional third-party email serverSoftware Security Center can be configured to use an external SMTP email server to send alerts to project collaborators.C1 Optional HP Fortify Static Code Analyzer analysis agentSCA scans source code and identifies issues.C2 Optional HP Fortify Program Trace Analyzer (PTA) analysis agentPTA performs pre-deployment analysis of instrumented code running in a pre-production environment.C3 Optional HP Fortify Real-Time Analyzer: Microsoft .NET Edition analysis agentHP Fortify Real-Time Analyzer (RTA) performs analysis of instrumented code running in a production environment.C4 HP Fortify Audit Workbench source code auditing toolAlthough it is technically optional, most Software Security Center installations will use Audit Workbench (AWB) to audit issues and categorize vulnerabilities.F1 HP Fortify download server, used to acquire installation programsF2 HP Fortify RTA Rulepacks Update server, hosted by HP Fortify and used to acquire and update RTA Rulepacks

Table 2: Required and optional Software Security Center installation entities (Continued)

ID Description


Overview of Software Security Center DeploymentSoftware Security Center is packaged as a Web Archive (WAR) file. It runs under a separate, third-party application server and requires a supported third-party database. Software Security Center includes a configuration tool that you use to configure it to interoperate with required entities such as the third-party database and HP Fortify Real-Time Analyzer, as well as with optional entities such as email servers, bug-tracking systems, and LDAP authentication servers.For information about Software Security Center system requirements, see the HP Fortify Software Security Center System Requirements document.High-Level Deployment TasksTable 3 lists the high-level tasks required to prepare for Software Security Center deployment, install the product, and to configure it for use. It also provides links to the sections of this guide that cover each task.Table 3: Software Security Center deployment tasks

Task Description Where to Find Information and Instructions

1 Download the Software Security Center software files and your fortify.license file. See Downloading Software Security Center Files on page 19 and the HP Fortify Software Security Center System Requirements document.

2 Prepare your application server for Software Security Center deployment. See Setting Up Your Application Server for Software Security Center Deployment on page 20.

3 Unpack the installation bundle. See Unpacking and Deploying Software Security Center Software on page 26.

4 Download the JDBC driver for the database server you plan to use. For information about supported JDBC drivers and versions, see the HP Fortify Software Security Center System Requirements document.

See Downloading the JDBC Driver on page 26.5 Install and configure the database server software. For information about supported databases, see the HP Fortify Software Security Center System

Requirements document. See the documentation for your database software.

6 Create a Software Security Center database and run the database creation and initialization script (HP-Fortify-Server-WAR/sql/ <Database_Type>/create-tables.sql) that is packaged with the production WAR file.

See Creating the Software Security Center Database on page 27.

7 Use the Software Security Center Configuration Tool to configure Software Security Center properties. For information about how to configure the database for Software Security Center, see Configuring the Database Connection on page 31.

8 Configure Software Security Center to use the Java Development Kit (JDK) that is compatible with the application server you plan to use to run Software Security Center.For instructions, see Selecting the JDK on page 33.


9 Use the Software Security Center Configuration Tool to seed the database. For information about how to seed the Software Security Center database, see Seeding the Software Security Center Database on page 34.

10 Use the Software Security Center Configuration Tool to configure single sign-on, email notifications, web services, and more. This chapter also provides instructions on how to configure custom attributes that your users can assign to their projects.For information about how to configure the Software Security Center properties, see the following sections in Chapter 5, Configuring Software Security Center on page 36:Configuring an Eclipse plug-in Update Site• Configuring User Account Timeout and

Lockout Settings • Configuring a Proxy for Secure Coding Rulepacks Updates • Configuring Email Alerts• Configuring Bug Tracker Integration• Configuring Single Sign-On• Configuring HP Fortify CloudScan Monitoring and Troubleshooting in Software Security Center• Configuring LDAP User Authentication• Enabling HP Fortify Real-Time Analyzer CommunicationsFor information about how to configure custom attributes, see Configuring LDAP User

Authentication on page 49.11 Deploy Software Security Center in your application server. For instructions, see Deploying Software

Security Center in Your Application Server on page 55.12 Log on to Software Security Center and administer users, manage LDAP entities and user roles, and create custom Project attributes. For instructions, see Chapter 6, Logging On

and Administering User Accounts on page 55.

Task Description Where to Find Information and Instructions


Chapter 4: Deploying Software Security CenterThis chapter provides the information you need to prepare to deploy Software Security Center for the first time. It begins with a description of the high-level tasks involved in deployment, and then provides instructions on how to perform each task.Use this information along with your HP Fortify Customer Portal account to download your HP Fortify license file, the installation package, and associated resource bundles used to seed the third-party database required to run Software Security Center. This chapter also contains instructions on how to configure the Java Runtime Environment (JRE) used to run Software Security Center.If you intend to use your Software Security Center instance to provide Federation Controller services to one or more instances of HP Fortify Real-Time Analyzer (RTA) running in Federated mode, you must enable Software Security Center to communicate with RTA. You can find instructions on how to complete this task in Enabling HP Fortify Real-Time Analyzer Communications on page 54.Overview of Software Security Center DeploymentSoftware Security Center is packaged as a Web Archive (WAR) file. It runs under a separate, third-party application server and requires a supported third-party database.Software Security Center includes a configuration tool that you use to configure Software Security Center to interoperate with required entities such as the third-party database and HP Fortify Real-Time Analyzer, as well as with optional entities such as email servers, bug-tracking systems, and LDAP authentication servers.For information about Software Security Center system requirements, see the HP Fortify Software Security Center System Requirements document.


Downloading Software Security Center FilesHP Fortify Software is available on DVD or as an electronic download. This section contains information about which Software Security Center Server installation file to download from the HP Software Support Online site, and how to unpack these Software Security Center Server installation resources.Note: You must have a SAID account to download HP Fortify Software from the HP Software Support Online site.To download the Software Security Center installation files:1. Go to HP’s Software Support Online website https://www.hp.com/go/softwaresupport.For complete, detailed instructions on how to download software from the HP Software Support Online site, see the “Acquiring HP Fortify Software” section of the HP Fortify Software Security Center System

Requirements document.2. Do one of the following:• If you are deploying Software Security Center on a Windows system, download the Software_HP_Fortify_3.70_Eng_SW_Media_TF302-15079.iso file.• If you are deploying Software Security Center on a Linux, UNIX, or Mac system, download the Software_HP_Fortify_3.70_Linux_Unix_Mac_TF302-15080.iso file.3. The iso file is a disc image of the entire Software Security Center product line. After you download it and before you deploy the software, either mount the ISO image or burn it to a DVD. For detailed instructions, see the HP Fortify Software Security Center System Requirements document.

https://www.hp.com/go/softwaresupport


Setting Up Your Application Server for Software Security Center DeploymentBefore you can successfully install, configure, and run Software Security Center, you must have, and be able to administer, a supported third-party application server. Secure deployment is particularly important with regard to application server configuration, operation, and communications. For information about secure deployment considerations for third-party application servers running Software Security Center, see Securing the Application Server on page 11.The following sections provide information about simple configuration procedures to prepare your application server for Software Security Center deployment. No special configuration is required to prepare the WebLogic and JBoss application servers for Software Security Center deployment.Note: For information about which application servers and versions are supported, see the HP Fortify Software Security Center System Requirements document.Configuring pragma no-cache on Application ServersMicrosoft Internet Explorer does not always handle the pragma no-cache response header correctly. If all three of the following conditions are true, then you must configure your application server so that it does not transmit the pragma no-cache metatag:• You support users who use Microsoft Internet Explorer to access Software Security Center.• Your application server is configured to use SSL to communicate with Software Security Center.• Your application server adds the pragma no-cache metatag to the header of an HTML page.Configuring pragma no-cache for Apache TomcatIf you use Apache Tomcat to run Software Security Center, go to the following Apache web page for information on how to configure the pragma no-cache settings for your server:http://www.mail-archive.com/[email protected]/msg151294.html

Configuring pragma no-cache on Servers Other than Apache TomcatThe location of the configuration file that contains the pragma no-cache setting varies depending on the type of supported application server you use with Software Security Center. For information about the location of the pragma no-cache setting in your applications server, see the documentation for your server.

http://www.mail-archive.com/[email protected]/msg151294.html


Preparing Apache Tomcat for Software Security Center DeploymentIf you intend to use Apache Tomcat as your application server, you must first specify Tomcat server memory settings. This enables Software Security Center to use several frameworks that dynamically subclass an application’s core classes. Dynamic subclassing requires an increased number of class definitions in the Java runtime’s permanent memory heap.Note: Configuring Tomcat memory does not impair server runtime performance or the behavior of the runtime environment.Configuring Tomcat Memory on Windows Systems This section provides information about how to configure Tomcat memory on Windows systems, either from the Windows command line or using the Windows Services tool.Configuring Tomcat Memory from the Windows Command LineIf you are running Software Security Center on a Windows system, and starting the Tomcat server from the Windows command line, then before you start the Tomcat server, set the CATALINA_OPTS environment variable, as follows:CATALINA_OPTS=-Xms256M -Xmx768M -XX:MaxPermSize=256M -Djava.awt.headless=true

Configuring Tomcat Memory Using the Windows Services ToolIf you are running Software Security Center on a Windows system, and you are running Tomcat as a Windows service, you can use the Apache Tomcat Properties dialog box to specify the Software Security Center memory settings. Windows applies the memory settings whenever it starts the Tomcat service (for example, after a power-failure reboot).The procedure in this section assumes that:• You are qualified to configure a Tomcat application server running on a Windows computer, and to use Windows Computer Management tools• You have configured your Tomcat server to run as a Windows serviceFor information about configuring Tomcat, see the Tomcat documentation.To use the Windows Services tool to configure Tomcat memory settings:1. Log on to Windows as an Administrator-level user.2. In Windows, open the Apache Tomcat Properties dialog box, and then do one of the following:• If you ran a Windows installation program to install Tomcat, select Start > Configure Tomcat.• If you ran a Windows installation program to install Tomcat, go to the Windows system tray and double-click the Apache Tomcat icon.• If you did not run a Windows installation program to install Tomcat, go to the Windows Computer Management tool, right-click the entry for the Tomcat service, and then select Properties.The Apache Tomcat Properties dialog box opens.


3. Click the Java tab.

4. Configure the Tomcat properties as follows:a. In the Initial memory pool box, type 256.b. In the Maximum memory pool box, type 768.c. In the Java Options box, type the following lines (including line breaks):-XX:MaxPermSize=256M -Djava.awt.headless=trued. Click OK.To apply the new memory settings, you must first restart the Tomcat service. However, before you do, make sure that you have configured Tomcat memory (see Preparing Apache Tomcat for Software Security Center

Deployment on page 21).Configuring Tomcat Memory on UNIX-based SystemsBefore you start Tomcat, specify the CATALINA_OPTS environment variable as follows:CATALINA_OPTS=-Xms256M -Xmx768M -XX:MaxPermSize=256M -Djava.awt.headless=trueThe exact format for this specification depends on the shell you use to specify the settings.


Preparing IBM WebSphere for Software Security Center Deployment

WebSphere 6.1 DeploymentTo run Software Security Center using WebSphere 6.1, consider the following WebSphere configuration requirements.• Use WebSphere 6.1 with Fix Pack 35.• You must have version 7 of the IBM Update Installer.• Name the application ssc, and not ssc_war.• The application class loader must be set in two places: the module level and the server level.After you complete the configuration, restart WebSphere.If you plan to deploy Software Security Center in WebSphere, complete the following tasks before you deploy Software Security Center:1. Install a supported version of IBM Update Installer.2. Check the HP Fortify Software Security Center Server Requirements document to make sure that you have a supported version of WebSphere application server software installed.3. Start your WebSphere instance, and then log on to the administrative console.4. Add a custom property on the WebSphere application server web container. (For instructions, see Adding a Custom Property on the Web Container.)5. Set the application class-loader policy and class-loader mode.(For instructions, see Setting the Class-Loader Policy and Mode.)

Adding a Custom Property on the Web ContainerTo add a custom property on the WebSphere application server web container:1. Select Servers > Application Servers > <Server_Name> > Web Container settings > Web Container. 2. Under Additional Properties, select Custom Properties.3. On the Custom Properties page, click New. The Settings page opens.4. In the Name box, type com.ibm.ws.webcontainer.invokefilterscompatibility.5. In the Value box, type true.6. Click OK.7. On the console task bar, click Save.

Setting the Class-Loader Policy and ModeTo set the class-loader policy and mode:1. Select Servers > Application Servers > <Server_Name>.2. Under Server-specific Application Settings, do the following:• Set the application class-loader policy to Single.• Set the class-loader mode to PARENT_LAST.


WebSphere 7.0 DeploymentTo run Software Security Center using WebSphere 7.0, you must first perform the following tasks:• Download a copy of the HP Fortify web certificate in X.509 DER format.• Configure the WebSphere 7.0 application server.• Use IBM’s ikeyman utility to add the HP Fortify web certificate to the WebSphere 7.0 certificate store.Downloading an HP Fortify Web CertificateThe HP Fortify web certificate enables the instance of Software Security Center running under the WebSphere 7.0 server to establish an HTTPS connection with the HP Fortify Rulepack update server at update.fortify.com. The following procedures describe how to download a copy of the HP Fortify certificate in X.509 DER format from either a Firefox or Internet Explorer web browser window.Using Firefox to Download a Fortify Web CertificateTo export a Fortify web certificate from Firefox:1. Browse to the Fortify Customer Portal site (update.fortify.com), and then log on using your Customer Portal credentials.The Your Products page opens.2. To open the certificate export tool:a. Right-click the page, and then select View Page Info from the shortcut menu.Firefox displays the Page Info window.b. In the Page Info window, click Security.c. In the Website Identity section, click View Certificate.d. In the Certificate Viewer dialog box, click the Details tab, and then click Export.3. In the Save Certificate to File dialog box:a. Browse to the directory to which you want to save the certificate file.b. In the File Name box, type a file name, and make a note of the name.c. In the Save as type list, leave X.509 Certificate (PEM) selected.4. Click Save.5. Close the Certificate Viewer dialog box.Using Internet Explorer to Download a Fortify Web CertificateTo use Internet Explorer to export a Fortify web certificate:1. From Internet Explorer, browse to the Fortify Customer Portal site (update.fortify.com)and then log on using your Customer Portal credentials.The Your Products page opens.2. To open the Certificate Export Wizard:a. Right-click the page, and then select Properties from the shortcut menu.b. In the Properties dialog box, click Certificates.c. In the Certificate dialog box, click the Details tab, and then click Copy to File.The Certificate Export Wizard starts.3. To export the certificate as an X.509 DER file:a. Click Next.b. On the Export File Format step, leave DER Encoded Binary X.509 (.CER) selected, and then click Next.

update.fortify.com

update.fortify.com

update.fortify.com

update.fortify.com


c. On the Export to File step, browse to the directory to which you want to save the certificate file, type a file name, and then click OK.d. Click Next.e. On the completion step, review your settings, and then click Finish.

Adding the Fortify Web Certificate to the WebSphere Application Server 7.0The final task required to configure Software Security Center to run under WebSphere Application Server 7.0 is to use IBM’s iKeyman utility to add the Fortify web certificate to the certificate store of WebSphere Application Server 7.0. The following procedure describes how to add your downloaded Fortify web certificate to the WebSphere server certificate store.To add the Fortify web certificate to the WebSphere 7.0 server:1. Start the IBM key management utility (iKeyman). For instructions, see IBM’s online documentation for certificate management.2. To open the WebSphere key store for updating:a. From the Key Database File menu, select Open.b. From the Key database type list in the Open dialog box, select PKCS12.c. Browse to <WebSphere Install Dir>/profiles/<AppServer>/config/cells/<Cell/Node Name>/Nodes/<Node Name>/trust.p12, and then click OK.The iKeyman utility prompts for a password.3. Type the WebSphere keystore password. (The default password is WebAS.)4. To install the Fortify web certificate:a. Click Add.b. Browse to and select your downloaded Fortify web certificate you downloaded (see Downloading an HP Fortify Web Certificate on page 24), and then click OK.The iKeyman utility prompts you to label the certificate.c. The Enter a Label box displays the default label “ssc_war”. Replace this value with “ssc”.d. Click OK.The iKeyman utility adds the Fortify web certificate to the WebSphere certificate store.5. In the iKeyman utility, in Key Database File, click Exit.This completes configuration of the WebSphere 7.0 server to support Software Security Center.

WebSphere 6.1 ConfigurationTo run Software Security Center using WebSphere 6.1, consider the following WebSphere configuration options.• Use WebSphere 6.1 with Fix Pack 35.• The Update Installer must be version 7.• Name the application “ssc”, and not “ssc_war”.• Set the invokefilterscompatibility property.• The application class loader must be set in two places: the module level and the server level.• After you complete the configuration, restart WebSphere.


Unpacking and Deploying Software Security Center SoftwareTo unpack the HP_Fortify_3.70_Server_WAR.zip file and deploy Software Security Center:1. Navigate to the directory that now contains the HP Fortify product files for your operating system, and open the folder for your operating system (for example, the Windows folder).2. Extract the contents of the file HP_Fortify_3.70_Server_WAR.zip to the root directory of your application server.Unpacking the HP_Fortify_3.70_Server_WAR.zip file creates the HP-Fortify-Server-WAR directory, which contains all the resources and tools you need to configure Software Security Center and migrate projects from previous versions. This new directory is referred to in this document as the <SSC_Deploy> directory.3. Copy the seed bundle files described in the following table and your fortify.license file to the <SSC_Deploy> directory. (For information about how to access your fortify.license file, see the HP Fortify Software Security Center System Requirements document.)

The process templates seed bundle and the reports seed bundles are required for Software Security Center deployment. The PCI Basic seed bundle is optional.Although you are not required to copy the resource files to the <SSC_Deploy> directory, the procedures in this document are based on the assumption that you saved the files to that location.Downloading the JDBC DriverLicensing prohibits Software Security Center from including the JDBC drivers required to interface with the supported third-party databases. You must obtain the JDBC JAR files required to support the type and version of third-party database you plan to use with Software Security Center.For information about the database driver classes supported by Software Security Center and where to obtain the corresponding class JAR files, see the HP Fortify Software Security Center System Requirements document.Installing and Configuring Database SoftwareTask 5 involves installing and configuring your third-party database server software. For information about which database versions Software Security Center supports for a production environment, see the HP Fortify Software Security Center System Requirements document. For database software installation and configuration instructions, see the documentation for your database software.

File Name Description

HP_Fortify_Process_Seed_Bundle_2012_Q2.zip

Process templates seed bundle used the seed bundles to seed your third-party database tablesHP_Fortify_Report_Seed_Bundle_ 2012_Q2.zip

Reports seed bundle used the seed bundles to seed the third-party database tablesHP_Fortify_PCI_Basic_Seed_ Bundle_2012_Q2.zip

(Optional) PCI Basic bundle adds a Payment Card Industry process template and an associated report to the default set of Software Security Center process templates and reports


Creating the Software Security Center DatabaseIf you are configuring and deploying a new instance of Software Security Center, you must first install, initialize, configure, and then seed a supported third-party database. The following sections contain information about database-specific configuration requirements and instructions on how create the Software Security Center database.For a new Software Security Center installation, the installation package includes scripts used to create and initialize a Software Security Center database. After you create and initialize the Software Security Center database, you use the Software Security Center Configuration Tool to configure connectivity to the database, and to seed the database.Database Instance and Privileges RequirementsTo create (or upgrade) a Software Security Center database, you must have sufficient privileges to do the following:• Create a Software Security Center database in a dedicated instance (or back up and then update your existing Software Security Center dedicated database instance)• Bind a Software Security Center user account to the dedicated database instance• Assign the Software Security Center user account the read-write privileges required to create, initialize, and manage the Software Security Center database. At a minimum you must have:• A database account that enables the web application to connect to the database• Database account privileges that allow you to create, alter, or drop the database tables, views, indexes, and the stored procedures they containFor Oracle databases, in addition to the preceding items, you must add the privileges necessary to enable sequences.• For runtime use, privileges for the Software Security Center database user account that permit SELECT, UPDATE, INSERT, and DELETE operations in all Software Security Center database tables, and that permit EXECUTE to execute stored procedures in the Software Security Center database.Note: HP Fortify strongly recommends that you create just one database user account that has all of the privileges listed here, and that you create just one Software Security Center user account to perform all HP Fortify database operations, from database creation, to configuration, to seeding, and to runtime.)Database-Specific Configuration RequirementsThis section contains information about the JDBC drivers required to interface with Software Security Center- supported third-party databases, the configuration requirements specific to those databases, and how to configure the databases to work with Software Security Center.Software Security Center Database Character Set SupportFor a list of the supported character sets for each third-party database type that Software Security Center supports, see the HP Fortify Software Security Center System Requirements document.Obtaining the Database Driver ClassSoftware Security Center does not include the JDBC drivers required to interface with the supported third-party databases. The database administrator must obtain the JDBC JAR files required to support the type and version of third-party database you plan to use with Software Security Center.For information about the database driver classes supported by Software Security Center and where to obtain the corresponding class JAR files, see the HP Fortify Software Security Center System Requirements document.


Configuring IBM DB2 DatabasesTo use IBM DB2 as the Software Security Center database, do the following:• Make sure that buffer pools with a page size of 32 K are available for the database table spaces (including temporary tablespaces).• Increase the number of secondary log files so that the total number of primary and secondary log files equals 256.• Change the size of each log file to 4096, and then verify that there is enough disk space for the increased number and size of log files.• In the DB2 Control Center, (Tools, Configuration Assistant, Configure, DB2 Registry), set the values of the registry variables DB2_EVALUNCOMMITTED, DB2_SKIPDELETED and DB2_SKIPINSERTED to ON.• In the database’s JDBC connection specifier, disable progressiveStreaming (also known as dynamic data format). Example:jdbc:db2://<SERVER_IP>:50000/<DB_NAME>:progressiveStreaming=2In this example, progressiveStreaming=2 disables progressive streaming.HP Fortify does not support internationalization of DB2 databases. For more information about DB2 character set support, see Software Security Center Database Character Set Support on page 27.

Configuring Microsoft SQL Server DatabasesTo use Microsoft SQL Server as the Software Security Center database, you must:• Create a SQL Server database account for Software Security Center to use. Software Security Center does not support SQL Server access via domain or pass-through authentication accounts.• Enable the READ_COMMITTED_SNAPSHOT database option. To enable Microsoft SQL Server READ_COMMITTED_SNAPSHOT:1. Verify that no other open connections to the database are open.2. In the SQL Server database administration tool, run the following command:ALTER Database [SSC_Server3.7_database_name] SET READ_COMMITTED_SNAPSHOT ON3. In sys.databases, verify that READ_COMMITTED_SNAPSHOT is set to 1.

Note: Software Security Center does not support Windows authentication for SQL Server databases.


Configuring MySQL DatabasesTo use MySQL as the Software Security Center database, you must configure the MySQL options file.Note: For information about supported versions of MySQL, see the HP Fortify Software Security Center System Requirements document.To configure the MySQL options file:1. Stop MySQL server.2. Navigate to the installation directory of your MySQL server.3. Open the MySQL options file in a text editor.On Windows systems, the default options file is my.ini.On UNIX-based systems, the default options file is my.cnf.4. In the both the [mysqld] and [mysqldump] sections, set max_allowed_packet to 1G.5. In the [mysqld] section, configure the system variables listed in the following table:

6. Save the file, and then restart MySQL server.Configuring Oracle Databases for Software Security CenterThis section provides information about how to prevent Oracle database-related errors.Case Sensitivity for Oracle 11g DatabasesOracle 11g is case insensitive by default. If you use Oracle 11g for the Software Security Center database, you must make sure that the database is case sensitive. Otherwise, logon errors can occur. For information about how to turn case sensitivity on and off, go to the following Oracle website:http://www.oracle-base.com/articles/11g/CaseSensitivePasswords_11gR1.php

Preventing the “No more data to read from socket” Error from OccurringIf you use Oracle 10.2.0.1.0 as the Software Security Center database, you may experience an exception of the type “No more data to read from socket”.To prevent this exception from occurring, do the following:1. Navigate to the $ORACLE_HOME/network/admin/ directory and open the tnsnames.ora file in a text editor.2. Set the value of SERVER to DEDICATE.3. To apply the change, go to Windows Services and restart the active listener associated with the database.

Setting Value

innodb_log_file_size 512M

query_cache_type 1 or 2query_cache_size Between 64MB and 128MB

innodb_buffer_pool_size 512MB

default_storage_engine INNODB

http://www.oracle-base.com/articles/11g/CaseSensitivePasswords_11gR1.php


Creating the DatabaseThe Software Security Center installation directory structure contains database initialization scripts for all supported third-party database types. You must run these scripts to create and initialize the database tables required for Software Security Center.Note: If you are upgrading from an earlier version of Software Security Center, do not create a new Software Security Center database. Instead, upgrade your existing database for use with Software Security Center. For information on how to upgrade your database, see Chapter 8, Upgrading Software Security Center on page 71.Running the Create Tables ScriptBefore you perform the following procedure, review the information contained in the following sections:• Database Instance and Privileges Requirements on page 27• Database-Specific Configuration Requirements on page 27

Warning: If you are upgrading a Software Security Center instance, and you want to retain the data in the database, do not run the create-tables.sql script. Doing so will overwrite your existing Software Security Center Server database, resulting in permanent data loss.Instead, upgrade your existing database. For information about how to upgrade your existing database for use with Software Security Center, see Chapter 8, Upgrading Software Security Center on page 71.To run the Software Security Center database creation and initialization scripts:1. Navigate to the HP-Fortify-Server-WAR/sql directory and locate the subdirectory for the third-party database you plan to use with Software Security Center. The subdirectories for each type of supported database are as follows:• db2

• MySQL

• Oracle

• SQLserver2. Copy the scripts from the subdirectory that matches your Software Security Center database type to the database server or other location where you will run the scripts.3. In the database client program, log onto the database account you created for use with Software Security Center.4. To create and initialize the Software Security Center database tables, run the following:create-tables.sql

Permanently Deleting an Existing Software Security Center DatabaseThe procedure in Running the Create Tables Script on page 30 describes how to locate the subdirectory for the third-party database you use with Software Security Center. Each of these subdirectories contain the drop-tables.sql script, which you can run to permanently delete a Software Security Center database schema along with all of the data in the database.


Configuring the Database ConnectionAfter you create and initialize the Software Security Center database, you configure the connection between Software Security Center and the database. Before you do, you must obtain the required database driver class. For information about the database driver classes supported by Software Security Center and where to obtain the corresponding class JAR files, see the HP Fortify Software Security Center System Requirements document.To configure database connectivity:1. Start the Software Security Center Configuration Tool. For instructions, see Starting the Software Security Center Configuration Tool on page 36.2. Click the Database Setup tab.

3. If you are configuring the Software Security Center database for the first time, click Add JDBC Driver.The Locate JAR file dialog box opens.4. Browse to the location of your JDBC driver.The Software Security Center Configuration Tool uses the JDBC driver to populate the DB Driver Class list at the top of the Database Setup tab.For more information about database driver requirements, see Obtaining the Database Driver Class on page 27.


5. In the JDBC URL box, type the URL for the Software Security Center database. (For information about the syntax to use for the URL, see the documentation for your database.)Warning: If SQL Server is configured to use any character encoding other than Unicode, you must append the following text to the end of your JDBC URL:sendStringParametersAsUnicode=falseExample: jdbc:jtds:sqlserver://dbhost:1433/ssc;sendStringParametersAsUnicode=false6. In the DB Username box, type the username for the Software Security Center database.7. In the DB Password box, type the password for the Software Security Center database.8. From the DB Type list, select the type of database you are using.9. To test the settings, click Test JDBC.10. Do one of the following:• Seed the new Software Security Center database instance. (See Seeding the Software Security Center

Database on page 34.)If this is a new Software Security Center database, you must seed the database before you start Software Security Center.• Click Save & Exit.


Selecting the JDKYou must configure Software Security Center to use the Java Development Kit (JDK) that is compatible with the application server you will use to run Software Security Center.To select the JDK for Software Security Center to use:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.)

2. From the Application Server JDK Version list, select the JDK to use to run your application server.For a list of supported JDKs for the supported application servers, see the HP Fortify Software Security Center System Requirements document.3. Click Save & Exit.


Seeding the Software Security Center DatabaseThis section contains information about how to seed the Software Security Center database, either as part of the product installation or after installation. It also provides information on how to upload seed bundles from the command line after installation.Database Seeding as Part of InstallationThis section provides instructions on how to seed a new Software Security Center database.Seeding the Software Security Center database helps to maintain a consistent post-installation configuration. This includes the creation of the default admin user account, as well as other required entities such as project templates, process templates, report definitions, and other default data required to make Software Security Center operational.When you log on to Software Security Center for the first time, Software Security Center requires a minimum set of data to process that initial logon and to provide basic Software Security Center functionality. Seeding creates that minimum data set in a new database.Software Security Center requires the use of the following two seed bundles:• The process template seed bundle (HP_Fortify_Process_Seed_Bundle_2012_Q2.zip) provides a default admin user account, as well as project template and process template data. • The report seed bundle (HP_Fortify_Report_Seed_Bundle_2012_Q2.zip) provides the default set of Software Security Center reports.These are the seed bundles you downloaded. (See Downloading Software Security Center Files on page 19.)You can also install the optional PCI Basic Bundle (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), which adds a Payment Card Industry process template and an associated report to the default set of Software Security Center process templates and reports.After you complete the installation and seeding, you can use the Software Security Center user interface to modify any user-configurable data entities created in the seeding process.Seeding a New Software Security Center DatabaseThe procedure in this section assumes that you have done the following:• Created the Software Security Center database instance (See Creating the Software Security Center

Database on page 27.)• Configured and tested the Software Security Center database connection (See Configuring the Database Connection on page 31.)• Copied the Process Templates seed bundle file and reports seed bundle file (see Downloading Software Security Center Files on page 19) to the HP-Fortify-Server-WAR directory. To seed a new Software Security Center database:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.)2. Click the Database Setup tab.3. Check to make sure that the database user credentials specified in the DB Username and DB Password boxes correspond to a database user account with sufficient privileges to create, alter, and drop tables, views, indexes, and stored procedures.If you are using an Oracle database, make sure that the user account also has permission to enable sequences.


4. To seed the Software Security Center database with the default process templates:a. Click Seed Process Templates.The Locate Process Template configuration file dialog box opens.b. Browse to the process templates seed bundle file (HP_Fortify_Process_Seed_Bundle_2012_Q2.zip), and then click Open.5. To seed the Software Security Center database with the default set of reports:a. Click Seed Reports.The Locate Report configuration file dialog box opens.b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2012_Q2.zip), and then click Open.6. (Optional) To seed the Software Security Center database with the optional PCI Basic Bundle:a. Click Seed Reports.The Locate Report configuration file dialog box opens.b. Select the report seed bundle file (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), and then click Open.7. Click Validate DB.8. After successful validation, click Save & Exit.

Uploading Seed Bundles from the Command LineIf your system does not support a GUI, you can run the Software Security Center Configuration Tool in command-line mode. Command-line mode enables you to add post-installation seed bundles to Software Security Center instances that connect to the server database.Note: Before you can seed the database in command-line mode, you must first correctly configure all of the settings on the Database Setup tab in GUI mode.To add a post-installation seed bundle to a configured Software Security Center database:1. Open a command prompt and change to the <SSC_Deploy> directory.2. Do one of the following:• On a Windows system, run:

ssc-configuration.cmd -seedOnly -war ssc.war -bundle <Seed_Bundle_Name>.zip• On a Linux, UNIX, or Macintosh system, run:ssc-configuration -seedOnly -war ssc.war -bundle <Seed_Bundle_Name>.zipwhere <Seed_Bundle_Name> represents the full path to a Software Security Center seed bundle.


Chapter 5: Configuring Software Security CenterThis chapter contains information about how to configure Software Security Center. It provides instructions on how to use the Software Security Center Configuration Tool to set up your database, configure single sign-on, email notifications, web services, and more.Starting the Software Security Center Configuration ToolTo start the Software Security Center Configuration Tool:1. Change to the <ssc_deploy> directory, and then do one of the following:• If your application server is installed on a Windows system, run the ssc-configuration.cmd script.• If your application server is installed on a Linux system, run the ssc-configuration script.The system prompts you to specify the location of the WAR file for Software Security Center.2. Browse to and select the ssc.war file, and then click Open.The system loads the WAR file, and then prompts you to specify the location of the license file for Software Security Center.3. Browse to and select the fortify.license file, and then click Open.The configuration tool opens to the Core tab.The next sections provide information about the settings on each of the configuration tool tabs.Configuration Tool TabsTable 4 lists the configuration tasks that you can complete on each of the tabs in the Software Security Center Configuration Tool. Table 4: Software Security Center Configuration tool tabs

Configuration Tool Tab DescriptionCore Use to select or configure the following:• Application server• JDK version used to run Software Security Center• Software Security Center password timeout and Rulepack proxy settingsFor information on selecting the JDK used to run Software Security Center, see Selecting the JDK on page 33. For a list of supported JDKs for the supported application servers, see the HP Fortify Software Security Center System Requirements document.To learn how to configure Software Security Center user account timeout and lockout settings, see Configuring User Account Timeout and Lockout Settings on page 38.For information about how to configure a proxy server for Software Security Center rulepack updates, see Configuring a Proxy for Secure Coding Rulepacks Updates on page 40.Database Setup Use to specify the location and credentials of the Software Security Center third-party databaseTo learn how to configure Software Security Center database settings, see Creating the Software Security Center Database on page 27.


CAS Setup Use to configure Software Security Center to interoperate with a Central Authentication Server settingsEmail Setup Use to configure the email server settings used to send email alerts to usersTo learn how to configure Software Security Center email settings, see Configuring Email Alerts on page 41.JMS Notification Use to configure Software Security Center operation parametersUse the default values unless HP Fortify support directs you to change them.Job Configuration Use to configure Software Security Center’s Quartz job schedulerUse the default values unless HP Fortify support directs you to change them.LDAP Use to configure Software Security Center to interoperate with an LDAP authentication serverFor information about how to configure Software Security Center LDAP settings, see Configuring LDAP User Authentication on page 49.RTA Use to enable or disable RTA communications with Software Security CenterFor information about how to configure Software Security Center communications RTA see Enabling HP Fortify Real-Time Analyzer Communications on page 54.SSO Use to configure Software Security Center to interoperate with a single sign-on serverFor information about how to configure Software Security Center SSO, see Configuring Single Sign-On on page 46.Web Services Use to configure Software Security Center web services Use the default values unless HP Fortify support directs you to change them.

Table 4: Software Security Center Configuration tool tabs

Configuration Tool Tab Description


Configuring an Eclipse plug-in Update SiteYou can use Software Security Center to host an Eclipse Update site. This allows you to distribute the HP Fortify Plugin for Eclipse from a central location, eliminating the need for each individual developer to install them locally. To enable the update site, you must enable a mapping for /update-site/** to the securityContext.xml file. (The mapping is already in that file, but is commented out. You must uncomment it). After you enable the mapping for the Eclipse Update site, run the Analyzers and Apps installer, and copy the contents of <Fortify install>/plugins/eclipse (which should consist of a site.xml file and jar files) to the update-site directory on your web server. Your developers can then point to the URL from their Eclipse IDE. (For complete client-side installation details, see the HP Fortify Plugin for Eclipse Installation and Usage Guide).Configuring User Account Timeout and Lockout SettingsTable 5 lists the Software Security Center user account timeout and lockout parameters along with their default values.Table 5: Software Security Center user account timeout and lockout settings

User Account Parameter Default Value and DescriptionInactive Session Timeout (minutes) Default: 30 minutesNumber of minutes a user can be inactive before Software Security Center automatically logs the user off.Absolute Session Timeout (minutes) Default: 240 minutesNumber of minutes of a user can be continuously active before Software Security Center automatically logs the user off.Logon Attempts before Lockout Default: 3 attemptsNumber of times a user can try to log on to Software Security Center using invalid credentials before being locked out.If Software Security Center locks a user out, that user is prevented from attempting a new logon for the number of minutes specified for Lockout time.Days before password reset Default: 30 daysNumber of days the Software Security Center password before the user must change it.Lockout time Default: 30 minutesIf a user attempts and fails to log on to Software Security Center the number times specified for Logon Attempts before Lockout, Software Security Center locks the user out for the number of minutes specified for Lockout time.Maximum Events Per Security Scope Issue When Software Security Center imports runtime events into project versions, it converts the events into issues. At times, multiple events are imported as one single issue. Use this box to specify the maximum number of events that Software Security Center can convert into a single issue.


To specify Software Security Center user account timeout and lockout settings:1. Start the Software Security Center Configuration Tool. (See Starting the Software Security Center Configuration Tool on page 36.)2. On the Core tab, configure the Software Security Center user account lockout and time settings described in Table 5.3. Click Save & Exit.

Base URL for Runtime Event description server The runtime event details include a link to a description of the event category, which is hosted on a Software Security Center instance. If you do not want your Software Security Center instance to access the internet, change the base URL for these event category descriptions.

Table 5: Software Security Center user account timeout and lockout settings (Continued)

User Account Parameter Default Value and Description


Configuring a Proxy for Secure Coding Rulepacks UpdatesBy default, Software Security Center downloads the current versions of HP Fortify Secure Coding Rulepacks you subscribe to from the Fortify Customer Portal at https://update.fortify.com. For installations that do not permit downloads directly from an external network source, you can configure Software Security Center to download Rulepacks from a proxy server.Note: Do not change the default value of Rulepack Update URL (on the Core tab of the Software Security Center tool) unless your HP Fortify customer support representative directs you to do so.To configure a proxy for Rulepack updates, you need the following:• A current subscription to one or more Secure Coding Rulepacks• The URL, port number, and username for the proxy server to use to update Secure Coding RulepacksTo configure a proxy for Secure Coding Rulepacks updates:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security

Center Configuration Tool on page 36.)2. On the Core tab, configure the settings listed in the following table.

Note: Leave the Locale for Rulepacks box empty. Software Security Center does not support localized HP Fortify Secure Coding Rulepacks.

Field DescriptionProxy for Rulepack Update Network name or IP addressProxy Port Port number associated with the network name or IP address specified as proxyProxy Username Valid username for your Rulepack proxy serverProxy Password Valid password for your Rulepack proxy server

https://update.fortify.com.


Configuring Email AlertsYou can configure email alerts for Software Security Center to send to the project team. Before you configure email alerts, you must create an SMTP email account for the Software Security Center project version to use.To configure email setup:1. Create an SMTP email account for the Software Security Center project version to use.2. Start the Software Security Center configuration tool. (See Starting the Software Security Center Configuration Tool on page 36.)3. Click the E-mail Setup tab.4. Configure the settings listed in the following table.Field DescriptionEnable Email Select this check box to enable Software Security Center to send email of any type and to enable the remaining fields for configuring email alerts.SMTP server SMTP server nameSMTP server port Port number for the SMTP serverFrom e-mail address Address to use to identify emails from Software Security CenterSMTP username If authentication is required on the SMTP server, type the SMTP usernameSMTP password If authentication is required on the SMTP server, type the SMTP password


Configuring Bug Tracker IntegrationSoftware Security Center allows your project team to submit bugs from the HP Software Security Center Collaboration Module to the your bug tracking system. Software Security Center supports integration with Bugzilla, Jira, and HP ALM bug-tracking systems out of the box. Note: If your organization uses a bug tracking system other than those supplied, you can author a new bug tracking plug-in for that system. For information about how to author and deploy a bug-tracking plug-in, see Appendix A: Authoring Software Security Center Bug Tracker plug-ins .

Note: If you are using a bug tracker plug-in prior to HP Fortify Software Security Center v3.30 contact HP Fortify technical support for assistance in migrating to the current release.To integrate with one of the supplied bug tracking systems:1. Log on to Software Security Center as an administrator and click the Projects tab.2. From the Projects page select a project version, and then click Edit.The Edit Project Version dialog box opens.3. Click the Bug Tracker tab.4. From the Bug Tracker list, select the bug tracker with which to integrate for this project version.

5. Complete the required fields, and then click Test.The Test Bug Tracker Configuration dialog box opens.


6. Type your bug tracker authentication credentials, and then click Test.7. After you verify your connection to your bug tracker, click Save.

Additional Bug Tracker ConfigurationWhen you assign a bug tracker to a project, you must provide additional configuration values. If your organization uses just one bug tracker configuration for most projects, you may save time and effort by providing default values for the bug tracker configuration items. To do this, you must manually add some properties files to the WEB-INF/classes path of the WAR file.The properties file name must have the format <ClassNameOfPlugin>.properties. The property names must match the configuration identifier names that the plug-in uses.Examples for the provided JIRA, Bugzilla and ALM plug-ins are in the following locations: • <SSC_Deploy>\Samples\BugTrackerPluginAlm\test\src\

AlmBugTrackerPlugin.properties

• <SSC_Deploy>\Samples\BugTrackerPluginJIRA4\test\src\ Jira4BugTrackerPlugin.properties

• <SSC_Deploy>\Samples\BugTrackerPluginBugzilla\test\src\ BugzillaBugTrackerPlugin.propertiesYou can copy these files to the WEB-INF/classes path, and then check to make sure that the defaults are loaded correctly during plug-in selection.

Securing Logon Credentials for Bug-Tracking SystemsWhen you file a bug from Software Security Center, you provide a username and password for the bug-tracking system. This username/password pair is saved in the HTTP session and mapped to the bug tracker for each project.If, in your deployment architecture, the session is persisted to a database or file system, passwords for the bug-tracking systems may also be persisted using lightweight encryption. Make sure that you secure these data.Each bug tracker has a different set of bug parameters and requires different user input. These parameters are dynamic and could be fetched from the bug-tracking system itself. Default values may be provided for some parameters.After you complete and save the bug settings, a bug is created on the bug tracking system and Software Security Center saves the bug id for the issue.


JIRA ParametersJIRA bug tracker requires a standard summary and bug description. It also accepts values for priority level, a due date for the fix, and the assignee. Software Security Center fetches values for the Issue Type and Affects Version fields dynamically from the bug-tracking system based on the selected project.If your JIRA project requires additional fields, then you may have to modify the plug-in before you use it. For guidance, see the plug-in authoring instructions Appendix A: Authoring Software Security Center Bug Tracker plug-ins on page 75, or contact HP Fortify technical support. Chapter 6, Logging On and Administering User Accounts on page 55.

HP ALM ParametersIn the HP ALM Defect Tracker - Submit Bug dialog box, select the following parameters which reflect your individual ALM installation:• Bug Summary• Bug Description• ALM Domain• ALM Project• SeverityIf your ALM project integrates with ALI (details below) you can observe that the defect description includes candidate changesets that could have possibly introduced the issue.There are several key several points of HP Fortify Software Security Center ALM integration to remember. In order for changeset discovery to be functional, the following conditions must be met:• Each SCA scan must be tagged with a build-label, which HP Fortify Software Security Center uses to map the scan with a source-control revision number. This is achieved by including the -build-label <Revision_Number> command option while executing the source analyzer tool to translate source code into the HP Fortify analysis model.


• The ALI extension must be enabled for the individual project in ALM and appropriate source control repositories must be configured. If the ALI extension was successfully enabled for the individual project you can view the Code Changes tab after you log on to ALM.• ALM bugs are logged regardless of whether the changeset discovery requirements are met. If the prerequisites are not met, then the changeset discovery message is skipped. • Currently, Subversion is the only source control repository supported for changeset discovery.Note: To view an ALM bug, you must have the ALM browser plug-in installed and use an ALM-compatible browser.For more information about ALI and ALM, see your Hewlett-Packard documentation for those products.Bugzilla ParametersBugzilla parameters are as follows.

Viewing Previously Logged Bugs in Collaboration ModuleA Bug Submitted column is available in the Collaboration Module and indicates whether or not a bug has been logged. Hovering over the icon in the column reveals the bug ID on the external bug tracking system.For issues associated with a bug, a View Bug button appears in the bottom panel on the Summary tab. This opens a new browser window that allows you to log into the external bug tracking website and view the bug.A disabled View Bug button indicates that the bug tracker plug-in did not provide an external link for the bug.A disabled File Bug button can indicate several problems. To see why the button is disabled, hover your cursor over it and read the tooltip text.Note: To view an ALM bug, you must have the ALM browser plug-in installed and use an ALM-compatible browser.


Changing the Bug-Tracking System for a ProjectIf you are changing the bug tracking system for a project that has a bug tracker assigned to it, make sure that the system indicated by the new bug tracker configuration contains all of the bugs that were logged with the previous configuration. Otherwise, the bugs already filed may become invalidated.Configuring Single Sign-OnSoftware Security Center supports single-sign on (SSO). SSO enables a user to log on once to gain access to multiple, separate systems.To configure SSO for Software Security Center:1. Configure the web server that runs Software Security Center to server as a proxy to Software Security Center.2. Configure Software Security Center to use LDAP authentication. (See Configuring LDAP User Authentication on page 49.)3. Start the Software Security Center Configuration Tool (see Starting the Software Security Center

Configuration Tool on page 36).4. Click the SSO tab, and then select the Enable SSO Integration check box.5. In the HTTP Header for Username box, type the HTTP header to use for SSO logons.6. Click Save & Exit.7. Configure the filters described in the following table for the SSO agent.Filter Access Description Example<appcontext>/* Protected General access to Software Security Center is protected by the SSO solution. /ssc/*<appcontext>/transfer/* Public Required to transfer artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center. This is for the Software Security Center user interface, web services, and client tools. 1

/ssc/transfer/*<appcontext>/upload/* Public Required to upload artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center.This is for the Software Security Center user interface, web services, and client tools. 1

/ssc/upload/*

<appcontext>/download/* Public Required to download artifacts (FPR files, reports, documents, project templates, and so on) through Software Security Center.This is for the Software Security Center user interface, web services, and client tools. 1/ssc/download/*

<appcontext>/fm-ws/* Public Required for the invocation of all the other web services. The client tools also use these web services to communicate with Software Security Center./ssc/fm-ws/*


1 Because of implementation details involved in the interaction with the Adobe Flash player and the web services libraries, the <appcontext>/transfer/*, <appcontext>/upload/*, and <appcontext>/download/* filters must be handled separately.

2 If you want to be able to run RulePack updates from within Audit Workbench, or the CLI Forti-fyUpdate, you must use the /<app_context>/d3srv resource filter. Note that the forward slash and asterisk (/*) are missing from the end of the filter. For this filter, you must replace <appcontext> with the application context for Software Security Center. Example: /ssc

<appcontext>/d3srv 2 Public Required for rulepack updates from the client tools. /ssc/d3srv<appcontext>/guide/* Public Public access to the Software Security Center Process Guide must be provided to everyone within the enterprise. /ssc/guide/*Filter Access Description Example


Configuring HP Fortify CloudScan Monitoring and Troubleshooting in Software Security CenterYou can monitor or troubleshoot the CloudScan Controller or view the scan results from Software Security Center. To enable this functionality, you must configure the integration from both HP Fortify CloudScan and Software Security Center.To configure CloudScan monitoring functionality in Software Security Center:1. Navigate to your <CloudScan_Installation>/tomcat/webapps/cloud-ctrl/WEB-INF/classes directory, and then open the config.properties file in a text editor.2. For the ssc_cloudctrl_secret parameter, specify a password for Software Security Center to use when it requests data from the CloudScan Controller.3. Save and close the config.properties file.4. Start the Software Security Center Configuration Tool (see Starting the Software Security Center

Configuration Tool on page 36).5. Click the CloudScan tab, and then provide the information described in the following table.

6. Click Save & Exit.Software Security Center will now display the CloudScan tab after a user logs on. For more information, see the Software Security Center Users Guide.

Field DescriptionCloudScan Controller URL URL of the CloudScan ControllerEnable CloudScan Poll Select this check box to enable the polling of CloudScan Controller to retrieve job status.CloudScan Period (seconds) Interval that Software Security Center uses to poll the CloudScan Controller for job information. The default is 120 seconds.SSC and CloudScan Controller Shared Secret Password that Software Security Center uses when it requests data from the CloudScan Controller. The CloudScan Controller verifies the password when requested for administration console data. This string must match the value stored in the CloudScan Controller config.properties for the ssc_cloudctrl_secret key (see Step 2).


Configuring LDAP User AuthenticationThe following sections provide an overview of user authentication in Software Security Center and instructions on how to configure LDAP authentication and LDAP server options. They also include instructions on how to register LDAP entities with Software Security Center and how to manager LDAP user roles.• Overview of Software Security Center User Authentication• Preparing to Configure LDAP Authentication• Configuring LDAP Server OptionsNote: For information about managing LDAP entities and user roles in Software Security Center, see Registering LDAP Entities with Software Security Center on page 58 and Managing LDAP User Roles on page 59.Overview of Software Security Center User AuthenticationThis section describes how to use the HP Fortify Software Security Center Configuration Tool to configure Software Security Center to interoperate with an LDAPv3, UTF8, Active Directory authentication server.Database-only AuthenticationBy default, when a user logs on to the Software Security Center user interface or uses an HP Fortify client to upload Fortify project results files, Software Security Center uses its database to authenticate that user. After authenticating a user, Software Security Center binds the authenticated user to his or her assigned Software Security Center User role (Administrator, Security Lead, Developer, or Auditor).The default database-only authentication method can be augmented by using LDAP to authenticate users. However, database-only authentication imposes a separate administrative process for creating and managing Software Security Center user accounts and roles. That separate administrative process is why most administrators prefer to augment Software Security Center’s default database-only authentication with LDAP. LDAP authentication enables a single administrative process to create and manage user authentication for multiple network entities, including Software Security Center.Software Security Center LDAP AuthenticationSoftware Security Center can be configured to augment its native database-only user authentication with LDAP user authentication. The use of LDAP enables an LDAP administrator to centrally manage user authentication across multiple network entities, including Software Security Center.


Preparing to Configure LDAP AuthenticationReview the following sections before configuring Software Security Center to use LDAP authentication:• Download the JXplorer LDAP Browser• Create an LDAP Account for use by Software Security Center• Avoid Conflicts Between Account Names• Gather and Record Required Information

Download the JXplorer LDAP BrowserIf you are not familiar with the LDAP schema that your LDAP server uses, you can use the third-party tool JXplorer to view and modify LDAP authentication directories. You can download JXplorer for free under a standard OSI-style open source license from http://www.jxplorer.org.Create an LDAP Account for use by Software Security CenterIf your LDAP server does not permit anonymous binding, create a read-only LDAP account for use by Software Security Center. Software Security Center requires an account with permissions necessary to read user attributes and authenticate users.Even if your LDAP server supports anonymous binding, you may prefer to create an LDAP read-only account for Software Security Center to use.Never use a user’s account name to provide Software Security Center access to an LDAP server.Avoid Conflicts Between Account NamesIf the LDAP directory contains the default Software Security Center default account admin, a conflict occurs that can disable both accounts.If an existing Software Security Center account name has the same name as an account name defined for the LDAP server, Software Security Center’s account settings and attributes take precedence over those stored on the LDAP server.Gather and Record Required InformationBefore you configure Software Security Center to use LDAP, review Configuring LDAP Server Options on page 51 and record any information you need to successfully complete the configuration process:

http://www.jxplorer.org.


Configuring LDAP Server OptionsThe Software Security Center Configuration Tool includes an LDAP tab that supplants the need to edit text files or run text-based command-line utilities. You can also use it to simultaneously assign multiple LDAP entities to Software Security Center project versions.To configure LDAP server options:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.)2. Click the LDAP tab.


3. Complete the fields described in the following table. LDAP Configuration Parameter Description

Enable LDAP Integration Select this check box to enable the remaining fields required for LDAP integration.Cache LDAP User Data Select this check box to enable LDAP user data caching in Software Security Center.Note: HP Fortify recommends that you leave LDAP user caching enabled. Changes to user information made directly in the LDAP server may not be reflected in Software Security Center for up to an hour. However, a slow connection between the Software Security Center and LDAP server, or a large LDAP directory with slow searches, could degrade Software Security Center performance. Typically, user data are seldom changed directly in the LDAP server.Enable Nested LDAP Groups Select this check box to enable nested group support for LDAP in Software Security Center.Note: Use nested LDAP groups only if it’s absolutely necessary. Enabling nested LDAP groups forces Software Security Center to perform extra tree traversals during authentication.Server URL URL of the LDAP authentication server.If you use unsecured LDAP, use the following format:ldap://<hostname>:<port>If you use secured LDAPS, use the following format:ldaps://<hostname>:<port>LDAPS ensures that user credentials are encrypted before they are transmitted.Bind User DN Full distinguished name (DN) of the account Software Security Center uses to connect to the authentication server.The general format for an account specifier is as follows: cn=<accountName>,ou=users,dc=<domainName>,dc=comwhere accountName represents the minimum privilege, read-only authentication server account you created for exclusive use by Software Security Center. Warning: Never use a user’s account name in a production environment.If you use Active Directory, specify the full username with domain, in the following format:<Domain_Name>\<Username>Bind User Password Password for the Bind User DN account.Base DN Base Distinguished Name (DN) for LDAP directory structure searches.Example, the Base DN for companyName.com would be dc=companyName,dc=com.All DN values are case sensitive, must not contain extra spaces, and must exactly match LDAP server entries.


4. To test your LDAP connection, click Test LDAP.5. After you successfully test the connection, click Save & Exit.

Relative Search DNs(1 per line) (Optional) Relative Distinguished Name (RDN)An RDN defines the starting point from the Base DN for LDAP directory searches. HP Fortify recommends searching from the base DN. However, if your LDAP directory is so large that searching for Software Security Center users takes too long, use an RDN to limit the number of LDAP entries searched. Example: To search within the base DN companyName.com and all entries under that base DN, specify the following:cn=usersorcn=users,ou=divisionNameto recursively search all entries under that path.Object class attribute Class of the object.For example, objectClass.Distinguished name (DN) attribute Full distinguished name of the object.Example: dnUser class Object class that identifies an LDAP object type as a user.The default is organizationalPerson.User username attribute User object attribute that specifies a username.The default is sAMAccountName.User first name attribute User object attribute that specifies a user’s first name.The default is givenName.User last name attribute User object attribute of a that specifies a user’s last name.The default is snUser email attribute User object attribute that specifies a user’s email address.The default is mail.Group class Object class that identifies an LDAP object type as a group.Group name attribute Group attribute that specifies the group name.The default is member.Group member attribute Group attribute that defines the members of the group.The default is group.Organizational unit class Object class that indefinites an LDAP object as an organizational unit.The default is container.Organizational unit name attribute Group attribute that specifies the organizational unit name.The default is cn.

LDAP Configuration Parameter Description


Enabling HP Fortify Real-Time Analyzer CommunicationsThis section provides information about how to enable Software Security Center to communicate with HP Fortify Real-Time Analyzer (RTA).Software Security Center includes a Runtime tab, which you can use to configure, monitor, and manage instances of RTA running in Federated mode. (By default, Software Security Center does not enable communications with RTA, or enable the Runtime tab.) For information about how to use the Runtime tab, see the HP Fortify Real-Time Analyzer Operator Guide.For information about RTA, see the following documents:• HP Fortify Real-Time Analyzer Operator Guide• HP Fortify Real-Time Analyzer: Java Edition Designer Guide• HP Fortify Real-Time Analyzer: Java Edition Installation and Configuration Guide• HP Fortify Real-Time Analyzer: Microsoft .NET Edition Installation and Configuration GuideTo enable Software Security Center to communicate with RTA:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security

Center Configuration Tool on page 36.)2. Click the RTA tab.3. Select the Enable RTA check box.Warning: Do not change any other runtime settings unless HP Fortify Support specifically directs you to do so.4. Click Save & Exit.


Chapter 6: Logging On and Administering User AccountsThis chapter begins with instructions on how to deploy Software Security Center in your application server and then start and log on to Software Security Center for the first time. Later sections address user administration and provide instructions on how to set up user accounts for your team. This chapter also provides instruction on how to configure custom attributes that your users can assign to projects.

Deploying Software Security Center in Your Application ServerThis section provides information about how to deploy your application server with Software Security Center.Deploying Software Security Center in Tomcat Application ServersTo deploy Software Security Center in a Tomcat application server:1. Stop the Tomcat server.2. Extract the ssc.war file contents into a deployment folder in the Tomcat installation directory.3. Copy the hibernate jars from ssc.war into the <JBOSS_Install_Dir>/common/lib directory.4. Restart the Tomcat server.Deploying Software Security Center in WebLogic Application ServersTo deploy Software Security Center in a WebLogic application server:1. Stop the WebLogic server.2. Extract the ssc.war file contents into a deployment folder in the WebLogic installation directory.3. Restart the WebLogic server.Deploying Software Security Center in JBoss Enterprise Application PlatformTo deploy JBoss Enterprise Application Platform (JBoss EAP) with Software Security Center:1. Stop the JBoss web server.2. Extract the ssc.war file contents into a deployment folder in the JBoss installation directory (for example,

<JBOSS_Install_Dir>/server/default/deploy/ssc.war).3. Navigate to the <JBOSS_Install_Dir>/common/lib directory and, except for the hibernate-entitymanager.jar file, delete all hibernate*.jar files.4. Copy the hibernate jars from ssc.war into the <JBOSS_Install_Dir>/common/lib directory.Restart the JBoss server.


Deploying Software Security Center in WebSphereTo deploy Software Security Center in WebSphere:1. Start WebSphere, and then log on to the administrative console.2. In the panel on the left, expand Applications, and then click Enterprise Applications.3. In the panel on the right, specify the file system path to the scc.war file, and then complete the installation.4. Restart WebSphere.Starting Software Security CenterTo start Software Security Center after you have created and initialized your Software Security Center database and configured your application server, do the following:1. Use your application server’s controls to load and start Software Security Center.Most application servers include utilities for loading and starting applications without affecting the operation of other applications.2. In your web browser address bar type the following:

https://[Host_IP]:[Port]/sscwhere [Port] represents the port number used by your application server. The default port is 8080.Note: Although you can use insecure communication (http://[Host_IP]:[Port]/ssc), HP Fortify strongly recommends that you use secure https protocol.The Software Security Center logon screen opens.

Logging On to Software Security Center for the First TimeTo log on to a new instance of Software Security Center for the first time:1. Log on to the default admin account using the username “admin” and password “admin”.2. Change the default password.Software Security Center passwords must be at least eight characters long and contain at least one of the following:• Upper-case letter• Lower-case letter• Non-alphanumeric characterAfter you log on to Software Security Center, create at least one non-default administrator account and then delete the default admin account. For more information about managing Software Security Center user accounts and roles, see Overview of Software Security Center User Administration.


Overview of Software Security Center User AdministrationThis section contains the following topics:• Administrator Accounts• Security Lead, Manager, and Developer Accounts

Administrator AccountsAdministrator accounts have complete access to all Software Security Center user and project version data. More important, an administrator-level account is the only kind that can:• Create new user accounts• Edit or delete other users accountsHP Fortify recommends that, after you log on to Software Security Center for the first time, you create at least one non-default administrator account, and then delete the default admin account. After you create a non-default administrator account, use that account to create Software Security Center Security Lead, Manager, and Developer user accounts.Security Lead, Manager, and Developer AccountsIn addition to the administrator-level account used to administer user accounts, Software Security Center supports the following three account levels, in order of descending level of authority:• Security Leads. Security Leads have access to all administrative operations except user account creation and editing. The Security Lead can create project versions and edit all aspects of the project versions they have either created or to which they are assigned.• Managers. Managers have read-only access to most administrative data, and can create and edit all data for the project versions to which they are assigned.• Developers. Developers have read-only access to some administrative data, and create and edit a subset of data for the project versions to which they are assigned.All Software Security Center user account types can edit their own account information.Creating User AccountsThe Users module provides tools you can use to edit, delete, or suspend all user accounts.To create a user account:1. Log on to Software Security Center as an administrator, and then click the Administration tab.2. In the Administration panel on the left, under System, click Users.3. In the Local Users panel on the right, click Add.4. Complete all required fields.Use the descriptions provided in Security Lead, Manager, and Developer Accounts on page 57 as a guide to selecting a role or roles for the new account.5. Click Save.The Local Users panel lists the new account.Note: As a Software Security Center administrator, you can delete or suspend all user accounts except for the last remaining administrator-level account. Software Security Center automatically disables the suspend and delete features for such an account.


For information about how to configure Software Security Center user account timeout and lockout settings, see Configuring User Account Timeout and Lockout Settings on page 38. For more information about user account privileges, see the HP Fortify Software Security Center User’s Guide.Registering LDAP Entities with Software Security CenterSoftware Security Center administrators can add LDAP organizational units, groups, and users to Software Security Center’s list of users.To register an LDAP organizational unit, group, or user with Software Security Center:1. Log on to Software Security Center as an administrator. 2. On the Administration tab click LDAP.3. Click Add.The Register LDAP Entity dialog box opens.

4. Do the following:a. From the LDAP Entity list, select the type of LDAP entity to register.b. In the Name box, type the entity name. Click the search icon to validate the name entry in the LDAP server.For information about how to specify the LDAP server, see Configuring LDAP Server Options on page 51.c. Under Role(s), select the check box for at least one the Software Security Center roles for the selected LDAP entity.d. Click Save.Software Security Center adds the entity to its list of users.


Managing LDAP User RolesAn RDN further qualifies a base DN. For example, if the base DN for a given LDAP directory is dc=domainName, dc=com, and the full DN is cn=group1,ou=users,dc=domainName,dc=com, then the RDN is cn=group1,ou=users.The following sections describe how to use LDAP relative distinguished names (RDNs) to determine user roles:How Software Security Center Determines Group MembershipFor Software Security Center to recognize that a user is a member of a particular group, the user account must refer to a group object in the LDAP directory. When the user logs on, Software Security Center looks up the user in the LDAP directory. Software Security Center determines the user’s group by the common name (CN) specified in the group membership attribute. If the user belongs to multiple groups, and those groups are mapped to different roles, Software Security Center assigns the user all roles.Software Security Center supports nested groups. For example, if a user is a member of group A and group A is a member of group B, Software Security Center recognizes that the user is a member of both groups.Mapping Software Security Center Roles to LDAP GroupsIn most environments, the LDAP directory contains some users who do not need access to Software Security Center. Also, certain groups of users may require different access privileges.Before you configure LDAP user authorization, you must decide which LDAP groups to associate with which Software Security Center roles (Administrator, Manager, Developer, Auditor). HP Fortify recommends that you create new LDAP groups that map directly to the different Software Security Center roles. For example, a FORTIFY_ADMINS group and a FORTIFY_DEVELOPERS group.


Creating Custom Project AttributesSoftware Security Center comes with customizable technical and business attributes that enable administrators and security leads to categorize projects and project versions.To create project attribute:1. Log on to Software Security Center as an administrator and click the Administration tab.2. From the Administration panel on the left, select General > Attribute Definitions. The Attribute Definitions panel opens on the right. 3. Click Add.The Create Attribute Definition dialog box opens.

4. Complete the fields described in the following table.Field*Required Description

*Name Type a descriptive name that provides some idea of what the attribute is for.Description Type a brief description that contains enough detail so that users understand exactly what the attribute is for. Your description is displayed under the attribute field in the Create Project Version wizard.Required Select this check box to require users to set this attribute while creating a project template.Hidden Select this check box to prevent the new attribute from being displayed in the Create Project Version wizard.*Category From this list, select either Technical or Business to indicate the type of attribute you are creating. If your Software Security Center instance is integrated with WebInspect, the list also includes the Dynamic Scan Request category. Depending on the category you select, the attribute is displayed on either the Business Attributes step or the Technical Attributes step of the Create Project Version wizard.


5. Click Save.The new attribute is available the next time a user creates a project version using the Create Project Version wizard.

*Scope From this list, select the value that indicates whether the attribute applies only to projects versions, runtime applications, or to both.*Type From this list, select one of the following control types: • To create a check box for the attribute, select Boolean. • To create a calendar selection control for the attribute, select Date.

Note: This type is not available for Dynamic Scan Request attributes.• To create a list from which a user can select only a single value for the attribute, select List of Values - Single Selection.• To create a list from which a user can select multiple values for the attribute, select List of Values - Multiple Selection.• To create a field that accepts an integer value, select Number.• To create a text field into which a user can type a single line of text, select Text - Single Line.• To create a text field into which a user can type multiple lines of text, select Text - Multiple Lines.

Field*Required Description


Chapter 7: Using the fortifyclient UtilityThis chapter provides information about Software Security Center’s fortifyclient command-line utility (on Windows systems, fortifyclient.bat), which you can use to securely transfer objects to and from Software Security Center.Requirements for Using fortifyclientTo use fortifyclient to upload HP Fortify project results (FPR), you must have the URL for your Software Security Center instance, and one the following:• A user account on the Software Security Center server with privileges sufficient to perform the operation specified by the fortifyclient command-line utility• A fortifyclient authentication token. Understanding fortifyclient Authentication Tokensfortifyclient authentication tokens enable scripted processes to perform operations without revealing Software Security Center user names and passwords. You can use the credentials for any existing Software Security Center user account to create an authentication token. The token inherits the privilege level of the account type (Administrator, Security Lead, Manager, Developer) of the user who created the token. When fortifyclient uses an authentication token to perform an operation, Software Security Center logs the operation under the account name used to create the token. Running the fortifyclient UtilityThis section contains the following topics:• Specifying the Software Security Center URL• Listing fortifyclient Options and Parameters• Acquiring an Upload Authentication Token• Listing fortifyclient Authentication Tokens• Listing Project Versions• Downloading FPRs• Importing Content Bundles

Specifying the Software Security Center URLMost fortifyclient commands include the URL of the Software Security Center. The URL Software Security Center URL passed to fortifyclient must include both the port number and the context path /ssc/. The correct format for the Software Security Center URL is as follows:http://nnn.nnn.nnn.nnn:8080/ssc/In the examples provided in this chapter, [ssc_URL] represents a correctly formatted URL.


Listing fortifyclient Options and ParametersTo list fortifyclient commands and parameters:1. From the command line, change to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. At the command prompt, type fortifyclient. (On a Windows system, type fortifyclient.bat).In Software Security Center, command and option names are case-sensitive.Acquiring an Upload Authentication Tokenfortifyclient upload authentication tokens enable account and password information to be concealed while FPRs are uploaded to Software Security Center.To perform the procedure described in this section, you must have the following:• Your Software Security Center URL (See Specifying the Software Security Center URL on page 62.)• A Software Security Center user account with privileges that allow you to use the fortifyclient access tokenTo use fortifyclient to acquire an analysis upload token:1. In <ssc_install_dir>/Deployment/fortifyclient/bin, type the following:

fortifyclient -url [ssc_URL] token -gettoken AnalysisUploadToken -user [AccountName]where AnalysisUpLoadToken is the case-sensitive fortifyclient upload token specifier.fortifyclient prompts for a password.2. Type the password for [AccountName]fortifyclient displays a token of the general form cb79c492-0a78-44e3-b26c-65c14df52e863. Copy the token returned by fortifyclient into a text fileThe ability of fortifyclient to use the token to read or write information to or from Software Security Center corresponds to the account privileges of the Software Security Center user account specified by the -user parameter.

Specifying DaysToLive for fortifyclient Authentication TokensAs described in Acquiring an Upload Authentication Token on page 63, fortifyclient supports tokens that enable the administration to conceal user account information.You can use the -daysToLive parameter to configure fortifyclient tokens to expire after a specified number of days. The following example command illustrates the use of the -daysToLive parameter to acquire a token that expires after two days:fortifyclient -url [ssc_URL] token -gettoken AnalysisUploadToken -user admin -daysToLive 2The case-sensitive daysToLive parameter must be typed exactly as shown in this example.


Listing fortifyclient Authentication TokensSoftware Security Center administrators can use fortifyclient to list all existing access tokens for all Software Security Center user accounts. The fortifyclient utility does not support filtering the list of tokens by Software Security Center account name or account privilege level.To list all access tokens:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory, and then run the following:fortifyclient -url [ssc_URL] listtokens -user [AdminAccountName]where AdminAccountName is the name of a Software Security Center Administrator-level user account.2. When prompted, type the password for the administrator-level user account.A list of the ID, owner, creation date, expiration date, and creation IP address for all fortifyclient authentication tokens is returned.

Listing Project VersionsYou can use fortifyclient to list the Software Security Center project versions accessible by the account used to create a particular access token. (Administrator-level users can view all project versions; Security Lead users can view all project versions they created or to which they have been granted access; Manager and Developer account users can view project versions to which they have been granted access).To perform the command in this section, you must first perform the procedure under Acquiring an Upload Authentication Token on page 63.To retrieve a list of project identifiers, project names, and project versions, in <ssc_install_dir>/Deployment/fortifyclient/bin:• Run the following:

fortifyclient -url [ssc_URL] -authtoken [token] listprojectswhere [authtoken] is a valid fortifyclient authentication token. (You can also use the -user and -password parameters to specify user account credentials.)For all project versions accessible to the user account that created the token, the fortifyclient utility lists the project version’s ID, name, and version number.

Uploading FPRsA common task is to periodically upload FPRs to Software Security Center. Fortifyclient upload access tokens support the use of the AccessUploadToken token to conceal user credentials when using scripts to periodically upload FPRs to Software Security Center. To provide additional security, you can also use an access token’s DaysToLive parameter.You can upload FPR files using one of two methods described in this section:• Using a Software Security Center Project Identifier to Upload FPR Files• Using a Software Security Center Project and Project Version to Upload FPR Files

Note: To perform the procedures described in this section, you must first obtain an authentication token. (See Acquiring an Upload Authentication Token on page 63.)


Using a Software Security Center Project Identifier to Upload FPR FilesTo upload an FPR into Software Security Center using a project identifier1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin, directory.2. Run the following:fortifyclient -url [ssc_URL] -authtoken [token] uploadFPR -file [FPRname.fpr] -projectID [ID_number]where

For information about how to acquire Software Security Center project identifiers, see Listing Project Versions on page 64.Using a Software Security Center Project and Project Version to Upload FPR FilesTo upload an FPR into a Software Security Center project version using the project name and version:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:

fortifyclient -url [ssc_URL] -authtoken [token] uploadFPR -file [FPRname.fpr] -project [ProjectName] -version [ProjectVersion]where

[ssc_URL]

[token]represents the URL for your Software Security Center instancerepresents a valid fortifyclient authentication token

[FPRname.fpr] represents the full pathname to the FPR file[ID_Number] represents the Software Security Center project identifier

[ssc_URL]

[token]represents the URL for your Software Security Center instancerepresents a valid fortifyclient authentication token

[FPRname.fpr] represents the full path to the FPR file[ProjectName] represents the Software Security Center project name[ProjectVersion] represents the Software Security Center project version that corresponds to the specified project name


Downloading FPRsYou can use fortifyclient to download FPRs by specifying either the Software Security Center identifier or the project version. This section provides the procedures to download FPRs using both methods.Downloading an FPR using a Project IdentifierTo use fortifyclient to download an FPR file to Software Security Center using a project identifier:1. Change to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:

fortifyclient -url [ssc_URL] -user [UserName] -password [password] downloadFPR -file [FPRname.fpr] -projectID [ID_number]where

Software Security Center does not support the use of authentication tokens to download FPRs.For more information about how to acquire Software Security Center project identifiers, see Listing Project Versions on page 64.Downloading Using a Software Security Center Project and Project VersionTo download an FPR into a Software Security Center project version using the project name and version:1. Change to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:

fortifyclient -url [ssc_URL] -user [Username] -password [Password] downloadFPR -file [FPRname.fpr] -project [Project_Name] -version [Project_Version]where

[UserName] represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the FPR file[password] represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the FPR file[FPRname.fpr] represents the full pathname to the FPR file[ID_Number] represents the Software Security Center project identifier

[Username] represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file[Password] represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file[FPRname.fpr] represents the full pathname to the fpr file[Project_Name] represents the Software Security Center project name[Project_Version] represents the Software Security Center project version that corresponds to the named project


Importing Content BundlesAs part of its ongoing support for Software Security Center, HP Fortify periodically provides content bundles (.zip filename extension) that contain one or more project templates, process templates, or report definitions.To import a content bundle into Software Security Center:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin, directory.2. Run the following:fortifyclient -url [ssc_URL] -user [Username] -password [Password] import -bundle [Bundle_Name]where

Software Security Center does not support the use of access tokens to upload content bundles.Archiving and Restoring Runtime EventsYou can use the fortifyclient command-line utility to archive and restore HP Fortify Real-Time Analyzer events. Software Security Center includes a Runtime tab, which provides access to Runtime Console tools and features that you can use to manage one or more instances of RTA running in Federated mode. The fortifyclient utility includes a new set of features to support the Runtime Console. Note: For information about how to use the Runtime tab, see the HP Fortify Real-Time Analyzer Operator Guide.

Archived Runtime EventsSoftware Security Center stores runtime event archives in its database. You can download stored archives for external storage or for data mining. Archived events are removed from Software Security Center charts and lists.Restored Runtime EventsSoftware Security Center re-assigns all restored events to Runtime Applications on the basis of the Runtime Console’s current set of application assignment rules.For information about Runtime Console application assignment rules, see the HP Fortify Real-Time Analyzer: Java Edition User Guide.

[Username] represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file.[Password] represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file.[Bundle_Name] represents the full pathname to the content bundle (.zip filename extension)


Listing Runtime ApplicationsBefore you can archive events for a given runtime application, you must use fortifyclient to obtain that application’s numeric identifier.To obtain a list of all runtime application identifiers:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:fortifyclient -url [ssc_URL] -user [AccountName] -password [Password] listRuntimeApplicationswhere

The fortifyclient command-line utility returns a list of numeric runtime application IDs and names.

[AccountName] represents the user name for a Manager, Security Lead, or Administrator account with access to the Software Security Center runtime application[Password] represents the password that corresponds to the [AccountName] specified for the Manager, Security Lead, or Administrator account that has access to the runtime application


Archiving Runtime EventsTo archive the events for a runtime application:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin, directory.2. Run the following:fortifyclient -url [ssc_URL] -user [Account_Name] -password [Password] archiveRuntimeEvents -startDate [mmddyyyy] -endDate [mmddyyyy] -applicationIds [AppID1,AppID2,...]where

Listing Runtime ArchivesTo use fortifyclient to list the runtime event archives contained in the Software Security Center database: 1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:fortifyclient -url [ssc_URL] -user [Account_Name] -password [Password] listRuntimeEventArchiveswhere

The fortifyclient command-line utility returns a list of numeric archive IDs, runtime application names, start dates, end dates, and restored status values (true or false).

[Account_Name] represents the user name for a Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application[Password] represents the password that corresponds to the [Account_Name] specified for the Manager, Security Lead, or Administrator account with access to the runtime application[mmddyy] represents the date of the first and last runtime events to include in the archive[AppID1,AppID2,...] represents the numeric identifiers of the runtime applications to archive

[Account_Name] represents the name of the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application[Password] represents the password that corresponds to the [Account_Name] specified


Restoring Runtime EventsTo restore an archived set of runtime events:1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory.2. Run the following:fortifyclient -url [ssc_URL]

-user [Account_Name] -password [Password]

restoreRuntimeEventArchive -archiveId [ArchiveID1,ArchiveID2,...]where[Account_Name] represents the name associated with the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application[Password] represents the password that corresponds to the

[Account_Name] specified[AchiveID1,AchiveID2,...] represents the numeric identifiers of one or more runtime archives to restore


Chapter 8: Upgrading Software Security CenterOverview of Upgrading a Software Security Center DatabaseThis chapter provides the instructions for a database administrator to upgrade a Software Security Center database. Upgrading the Software Security Center database involves of the following tasks:• Configure core Software Security Center server properties and your database settings• Generate migration SQL• Run the migration SQL script on the database• Seed the database• Undeploy the currently deployed war file• Deploy the new war fileTo perform the upgrade you must have Software Security Center version 2.65 or later installed. If your have an earlier version installed, see the 2.65 version of the HP Fortify Software Security Center Installation and Configuration Guide for instructions on how to upgrade to release 2.65, and then use the instructions in this guide to upgrade to the latest Software Security Center version. If you are upgrading from a Software Security Center version earlier than 2.5, contact Technical Support.Preparing to Upgrade Your Software Security Center DatabaseThe Software Security Center database migration process creates larger transactions than those created during regular use. For Software Security Center databases that have been successfully run in production environments, database migration does not typically require changes to your database configuration or resources. For large databases, HP Fortify recommends that you review and, if necessary, increase the database resources and settings required to accommodate the migration process.MySQL Server: Setting the Innodb Buffer PoolIf you are upgrading a MySQL database, HP Fortify recommends that you add the following to your MySQL configuration:innodb_buffer_pool_size=512MFor more information about how to configure MySQL for use with Software Security Center, see Configuring MySQL Databases on page 29.Configuring Connectivity to the Upgraded DatabaseTo deploy Software Security Center you used the Software Security Center Configuration Tool to specify the connection parameters Software Security Center file requires to interoperate with your third-party database. When you upgrade Software Security Center, you use the same configuration tool to specify the database connection parameters to the Software Security Center WAR file (ssc.war).For information about how to run the Software Security Center configuration tool to configure Software Security Center database connectivity, see Configuring the Database Connection on page 31.


Running Software Security Center Database Upgrade ScriptsThis section includes descriptions of tasks to perform before you upgrade your Software Security Center database and instructions on how to create and run the database migration script.Preparing to Run the Database Upgrade ScriptBefore you run the database upgrade script, perform the following tasks:• Use your database client tool to back up your existing Software Security Center database.• Acquire the database account information you used to create your existing Software Security Center database.• Review the information in Database Instance and Privileges Requirements on page 27.The Software Security Center database upgrade scripts require the same database privileges that the database creation scripts require.Generating and Running the Database Migration ScriptTo upgrade your existing database for use with Software Security Center:1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security

Center Configuration Tool on page 36.)2. On the Core tab, configure the core server properties.3. Click the Database Setup tab and configure your database settings. Make sure that the database user credentials you specify in the DB Username and DB Password boxes correspond to a database user account with sufficient privileges to create, alter, and drop tables, views, indexes, and execute stored procedures. If you are using an Oracle database, make sure that the user account also has permission to enable sequences.4. Click Test JDBC.5. After you are sure that the database connection works correctly, click Generate Migration SQL.The Generate Migration SQL dialog box opens.

6. Copy the database migration script from the sub-directory that matches your Software Security Center database type to the database server or other location from which you plan to run the scripts.


7. In the database client program, log on to the database account created for Software Security Center.You must use the same database account you initially created. For more information about creating a database account for use by Software Security Center, see Database Instance and Privileges Requirements on page 27.8. Run the SQL migration script that you generated in Step 5.Keep a record of the output. If an error occurs, contact HP Fortify Support.Re-seeding Your Upgraded Database and Deploying the WAR FileAfter you upgrade your existing Software Security Center Server database for use with Software Security Center Server, you must use the Software Security Center Configuration Tool to seed the upgraded database with the latest seed bundles. At a minimum, this means re-seeding the Software Security Center database with the process templates and seed bundles. For information about how to seed a Software Security Center database, see Seeding the Software Security Center Database on page 34.If you added the optional PCI Basic Bundle to your database, you must re-seed with the Software Security Center version of the PCI Basic Bundle.To seed the upgraded Software Security Center database:1. Start the Software Security Center Configuration Tool, and then click the Database Setup tab.2. Check to make sure that the database user credentials specified in the DB Username and DB Password boxes correspond to a database user account with sufficient privileges to create, alter, and drop tables, views, indexes, and execute stored procedures. If you are using an Oracle database, make sure that the user account also has permission to enable sequences.3. To seed the Software Security Center database with the default process templates:a. Click Seed Process Templates.The Locate Process Template configuration file dialog box opens.b. Browse to the process templates seed bundle file

(HP_Fortify_Process_Seed_Bundle_2012_Q2.zip), and then click Open.4. To seed the Software Security Center database with the default set of reports:a. Click Seed Reports.The Locate Report configuration file dialog box opens.b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2012_Q2.zip), and then click Open.5. (Optional) To seed the Software Security Center database with the optional PCI Basic Bundle:a. Click Seed Reports.The Locate Report configuration file dialog box opens.b. Select the report seed bundle file (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), and then click Open.

Note: For information about how to upload seed bundles from the command line, see Uploading Seed Bundles from the Command Line on page 35.6. If you have not done so already, check to make sure that the other tabs within the Configuration Tool (Core, LDAP, E-mail Setup, and so on) are configured correctly. 7. Click Save & Exit.Next, update the war file. For instructions see Updating the WAR File.


Updating the WAR FileTo update the ssc.war file:1. Undeploy the currently deployed war file. For instructions, see the documentation for your application server.2. If you have not done so already, check to make sure that the settings on the Configuration Tool tabs (Core, Database Setup, and so on) are configured correctly. Then deploy the new ssc.war file. (See Chapter 4, Deploying Software Security Center on page 18.)

Troubleshooting Database Migration ProblemsIn using the Software Security Center Configuration Tool, when you click Validate DB, the tool checks to see whether or not the database upgrade completed successfully. If the Software Security Center configuration tool detects an error in the upgraded database, it displays the message “Database Validation Failed”, or “you have unmigrated process templates”.Seeding error messages are formatted as follows:

If a database validation error message occurs, navigate to the <install_dir>/logs directory, open the ssc-configuration.log file in a text editor, and look for the cause of the error.If you can use the information in ssc-configuration.log to correct the error, re-seed the database with the version 3.70 seed bundles. If you cannot use the information in ssc-configuration.log to correct the error, contact HP Fortify Support for assistance.

ERROR yyyy-mm-dd hh:mm:ss,nnn[com.fortify.manager.DAL.impl.GlobalSeedManagerImpl] - Process template [templateName]is not migrated. Please seed the new seed bundle with this template, or update the template through process template designer.


Appendix A: Authoring Software Security Center Bug Tracker plug-insSoftware Security Center supports integration with external bug tracking systems. This integration allows Software Security Center users to log bugs for issues while auditing them in the Collaboration Module. As delivered, the system is already capable of integrating with JIRA 4, Bugzilla 3.4 and ALM 11/ALI 2.0. If your company uses a different bug-tracking system, then you can author a new plug-in for it. This appendix provides information about how to author and deploy a new bug-tracking plug-in.Note: HP Fortify strongly recommends that you inspect the delivered plug-in samples. You can find these samples in the <SSC_Deploy>/Samples/BugTrackerplugin/<BugTrackerPlugin_Name> directory.Use CaseYou (the Software Security Center administrator) can configure an external bug-tracking system to use with a given Software Security Center project version, as described in Chapter 5, Configuring Bug Tracker Integration on page 42. Software Security Center displays the required configuration parameter fields for the bug tracker you select, and you set the values for these just one time for the project version. After you test the bug-tracker configuration parameter values for validity (optional), you save them to the database for use whenever a user logs a defect for the project version.A user who submits a bug against a project version logs on to the bug-tracker, and then completes the required fields that the bug tracker supplies for the bug parameters. Required parameter information can include such items as summary, description, severity level, component, and so on.The plug-in framework supports a dynamic aspect to bug-tracking parameters. Whenever a user changes a parameter value, the plug-in detects the change and an updated list of bug parameters with new list selections becomes available.When a bug is filed, the bug ID is saved in the database against the issue. The user can then navigate to the bug using an external bug link, which the plug-in supplies.The credentials accepted from the user filing bug filing are saved in the server session, and are reused for bugs subsequently submitted against the project during the same session.Project SetupThe bug tracker plug-in can be an independent project that you can write using your preferred IDE. Configure a bug tracker plug-in project with following dependencies:• fortify-public-3.4.jar (required) • Apache Commons Logging (optional) • Apache Commons Lang (optional) • Any other API jar that does not conflict with libraries already packaged with ssc.war You can use your preferred build system to build your project distributable.ImplementationAll plug-ins must implement the com.fortify.pub.bugtracker.plugin.BugTrackerPlugin interface. HP Fortify strongly recommends that your implementation class extend com.fortify.pub.bugtracker.plugin.AbstractBugTrackerPlugin so that you can take advantage of any backward-compatibility support that becomes available in future releases. Additionally, you must annotate


the implementation class with @BugTrackerPluginImplementation. During runtime, Software Security Center scans its binaries to identify all classes marked with this annotation and loads them as plug-ins. The BugTrackerplug-in interface is as follows:public interface BugTrackerPlugin {

public boolean requiresAuthentication();

public List<BugTrackerConfig> getConfiguration();

public void setConfiguration(Map<String, String> configuration);

public void testConfiguration(UserAuthenticationStore credentials);

public String getShortDisplayName();

public String getLongDisplayName();

public List<BugParam> getBugParameters(IssueDetail issueDetail,

UserAuthenticationStore credentials);

public List<BugParam> onParameterChange(IssueDetail issueDetail,

String changedParamIdentifier, List<BugParam> currentValues,


public Bug fileBug(BugSubmission bug, UserAuthenticationStore credentials);

public void validateCredentials(UserAuthenticationStore credentials);

public Bug fetchBugDetails(String bugId, UserAuthenticationStore credentials);

public String getBugDeepLink(String bugId);

}

Plug-in Methods and Method CallsThe following table lists the methods and calls to use with your plug-in.Method or Call DescriptionrequiresAuthentication This method is expected to return true if it requires the framework to request credentials from the user for any bug-tracking operation. This almost always returns true, except in cases where the plug-in gets its credentials using a different mechanism, perhaps from the credential store or if the plug-in interacts with the bug-tracking system asynchronously and not in real time. If the method returns false, the system passes null for all the UserAuthenticationStore parameters of the plug-in methods.getConfiguration The plug-in framework uses the getConfiguration method to get metadata about the questions to be presented to the user during plug-in configuration. The return value is a list of BugTrackerConfig objects that provide required information about the configuration item. Each item corresponds to a text box in the user interface. The value field of each item is used to specify the default value for the text box.setConfiguration (call) After you select the bug-tracking system for the project version and save the configuration to the database, all future interactions with the plug-in are preceded by the setConfiguration call, which sets the configuration for the plug-in using which operations are to be carried out. testConfiguration (call) The plug-in framework uses the testConfiguration call to test the configuration previously set using the setConfiguration call. This method is expected to hit the bug-tracking system using the configuration details set and validate them to the fullest extent possible. The user credentials are fetched from the user if this plug-in declared that it requires authentication.


getShortDisplayName The getShortDisplayName method is used to return a short display name for the plug-in. This string is used to populate the list of available bug tracker plug-ins. getLongDisplayName The getLongDisplayName method is used to return a value that includes additional identification of the bug tracking system obtained from the configuration. This method is used, for example, when the user is prompted to provide credentials for a bug-tracking system.getBugParameters The getBugParameters method returns metadata about the bug parameters to present to users. Software Security Center supports the following three bug parameter types:• BugParamText translates to a text box.• BugParamTextArea translates to a multiple-line text box and is typically used for bug descriptions.• BugParamChoice translates to a list. • Bug summary and bug description are typically bug parameters and you can specify the default values for these fields using the issueDetail object that is passed to the method. The plug-inHelper protected member has a helper method to build a suggested default bug description. (See Plug-in Helper on page 78.)onParameterChange The plug-in framework calls the onParameterChange method whenever the value for a bug parameter marked as hasDependentParams (see BugParamChoice class javadoc) changes. This method can take action and return a new list of bug parameters to display. Keep the following guidelines in mind:• Act on each bug parameter that has dependent parameters• Do not forget handling case when parameter value changes to null (no selection made)• Do not forget to set the parameter value in a return list to null when its selections change • Before you add a new parameter, check the return list to make sure that it does not already include the parameter• Return null if there is no change• Use one of the following strategies:• Modify the currentValues parameter and return it• Construct the return value from raw parameters maintained. Set values and choice lists before returning.

Method or Call Description


For a detailed explanation of each parameter and other supporting classes, see the public API javadoc.Plug-in Helper If your bug tracker plug-in class extended from the class AbstractBugTrackerPlugin provided, you will find a protected member BugTrackerPluginHelper available. This helper object can be used to perform frequently used plug-in operations for building bug descriptions, locating parameters, loading default values and so on. Please consult the javadoc for more details. Also look at its usage in the plug-in samples.Error HandlingFor proper error handling and reporting, use the following strategy across all plug-in methods to throw exceptions: • Throw com.fortify.pub.bugtracker.support.BugTrackerException for any error that the user can act on. Example invalid configuration, errors arising from bug tracking system, bug tracking system failing, and so on. The error message with this exception is relayed back to the user and is expected to be user friendly. • Throw com.fortify.pub.bugtracker.support.BugTrackerAuthenticationException if and only if credentials provided to the bug tracking system are incorrect. This exception results in cached bug tracker credentials being cleared. • Throw RuntimeException or its subclasses for internal exceptions. Almost StatelessAs soon as a plug-in object is instantiated, the setConfiguration call is made. The only state that should be saved within the plug-in are the configuration values provided by this method. From this point on, all plug-in calls are expected to be stateless. Plug-in instances should not maintain any state or leave open s, or try to use opened during previous call. Software Security Center does not cache or reuse plug-in instances across plug-in operations. New s should be opened on each call and cleanup should be done before method exit.

fileBug This method files a bug on the external bug-tracking system. The BugSubmission object passed encompasses all bug details. Make sure that you correctly differentiate between the bug.getIssueDetail() object and the bug.getParams()object. The bug.getIssueDetail() object returns details of the issue, whereas the bug.getParams() object returns the bug parameter values that the user provides. If you added Bug Description as a user-editable bug parameter, then fetch the bug description from the bug.getParams() object instead of from the bug.getIssueDetail()object. The return value of the fileBug object must be a bugId, which can be used to fetch the bug with the fetchBug method and formulate the deep link with the getBugDeepLink method. fetchBug This method is used to fetch the current bug status.getBugDeepLink This method is used to formulate a deep link to the bug. If the bug tracker does not support a deep link, return null.

Method or Call Description


Changeset DiscoveryIf your bug-tracking system integrates with a version control system (as is the case with HP ALM), Software Security Center can provide additional information regarding the changesets that might have caused the issue for which bug was logged. Such plug-ins must also implement the following ChangesetDiscoveryPlugin interface. Extending AbstractBugTrackerAndChangesetDiscoveryPlugin is highly recommended.public interface ChangesetDiscoveryPlugin {

public List<String> queryChangesetsBetween(String greaterThanRevision,

String lesserThanOrEqualToRevision, String touchingFilePath,

Map<String,String> bugParams,


}If SCA scans are tagged with build revisions, this method can be used to query for changesets that were merged between when an issue was not seen and when it was first seen. The resulting discovery is made available to the fileBug method in the BugSubmission object.DebuggingApache Commons logging is supported in plug-ins. The resulting logs are appended into the file ssc.log located in the application server logs directory. All exceptions are automatically logged. You can also perform remote debugging of your plug-in by connecting to your application server from the plug-in project within your IDE.DeploymentTo deploy a bug tracker plug-in, you must to build a jar that contains the plug-in classes and any of its dependent classes. You must also prepare the library jar files that your plug-in uses and check to make sure that these libraries do not conflict with the jar files in the ssc.war file.1. Start the Software Security Center configuration tool. (See Starting the Software Security Center

Configuration Tool on page 36.)2. Click the Bug Tracker Plugins tab. 3. Click Add/Replace Plugin Jar.4. Add all the jar files and save. 5. Deploy the resulting war file.