Configuring Fortify Software Security Center for the First Time

After you deploy Fortify Software Security Center for the first time and then enter the  Fortify Software Security Center URL in a browser window, the Fortify Software Security Center Setup wizard (Setup wizard) opens. Here, you can complete the steps for the initial server configuration. The Setup wizard is available to administrators only after you first deploy Fortify Software Security Center, after you upgrade it, or after you place Fortify Software Security Center in maintenance mode (see Placing Fortify Software Security Center in Maintenance Mode).

To configure Fortify Software Security Center for the first time:

  1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat Server, open a browser window and type your Fortify Software Security Center server URL (https://<host_IP>:<port>/<app_context>/).

  2. In the upper right corner of the web page, click ADMINISTRATORS.

  3. Go to the <fortify.home><app_context> directory (see About the fortify.home Directory), and open the init.token file in a text editor. (If Tomcat is running as Windows service, then you can find the init.token file in %SystemRoot%\System32\config\systemprofile\.fortify\ssc\init.token).

  4. Copy the contents of the init.token file to the clipboard.

  5. On the web page, paste the string you copied from the init.token file into the text box, and then click SIGN IN.

    The Fortify Software Security Center Setup wizard opens.

  6. Read the information on the START page of the Setup wizard, and then click NEXT.

  7. On the CONFIGURATION step, under UPLOAD FORTIFY LICENSE, do the following:

    1. Click UPLOAD.

    2. Browse to and select your fortify.license file, and then click UPLOAD.

    If the license you entered is invalid or expired, Fortify Software Security Center displays a message to that effect.

    The right panel displays the default path of the configuration directory in which your configuration files (app.properties, datasource.properties and version.properties) are to reside.

  8. Read the warning note about sensitive information in the configuration file directory. If you want to save your configuration properties file in a directory other than the default shown, on Tomcat Server, specify a different path for the JVM system property fortify.home.

    Example: -Dfortify.home=/home/fortify
  9. Select the I have read and understood this warning check box, and then click NEXT.

  10. On the CORE CONFIGURATION SETTINGS step, do the following:

    1. In the FORTIFY SOFTWARE SECURITY CENTER URL box, type the URL for your Fortify Software Security Center server.
    2. In the center panel, select the Enable HTTP host header validation check box to ensure that the HTTP Host header value matches the value configured in the Fortify Software Security Center URL (host.url property). Both the host and port must match. This affects both browsers and direct REST APIs access. If validation is turned off, any HTTP Host header can access Fortify Software Security Center.

    3. To enable global searches in Fortify Software Security Center, in the GLOBAL SEARCH panel, select the Enable global search check box.

    4. The text box below the check box displays the default location for the search index files. If you prefer a different location, type a different directory path for your search index files. (Passwords are not indexed.)

      Note: The optimum disk size for the requisite indexing for global searches varies based on the characteristics of the data, but the Lucene indexes are much smaller than the data in the database. For example, the index size required for a database issue volume of 18 GB (with db indexes) is approximately 2 GB.

      Note: Because indexed data can include sensitive information (user names, email addresses, vulnerabilityClosedA weakness that allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. (same as issue) categories, issue file names, and so on), make sure that you select a secure location to which only Tomcat Server user has read and write access.

    5. Read the warning in the GLOBAL SEARCH panel, and then select the I have read and understood this warning check box.
  11. Click NEXT.

  12. On the DATABASE SETUP step, do the following:

    1. In the DATABASE TYPE box, select the database type you are using with Fortify Software Security Center.

    2. In the DATABASE USERNAME box, type the username for your Fortify Software Security Center database. For more information, see Database User Account Privileges.

    3. In the DATABASE PASSWORD box, type the password for your Fortify Software Security Center database account.

      Note: Make sure that the database user credentials specified in the DATABASE USERNAME and DATABASE PASSWORD boxes are for a user account that has the privileges required to execute migration scripts. These privileges are described in Database User Account Privileges.

    4. In the JDBC URL box, type the URL for the Fortify Software Security Center database.

      Important! If you are using a MySQL Server database, you must append the following property setting to the end of the URL:

      connectionCollation=COLLATION

      where COLLATION is the collation type of your database.

      Examples:

      jdbc:mysql://localhost:3306/ssc?connectionCollation=utf8_bin

      jdbc:mysql://localhost:3306/ssc?connectionCollation=latin1_general_cs


      Important! If you are using a MSSQL Server database, you must append the following property setting to the end of the URL:
      sendStringParametersAsUnicode=false
      jdbc:sqlserver://<host>:1433;database=<database_name>;sendStringParametersAsUnicode=false

    5. In the MAXIMUM IDLE CONNECTIONS box, type the maximum number of idle connections that can remain in the pool. The default value is 50.

    6. In the MAXIMUM ACTIVE CONNECTIONS box, type the maximum number of active connections that can remain in the pool. The default value is 100.

    7. In the MAXIMUM WAIT TIME (MS) box, type the maximum number of milliseconds for the pool to wait for a connection (when no connections are available) before the system throws an exception. The default value is 60000. To extend the wait indefinitely, set the value to zero (0).

    8. To test your settings, click TEST CONNECTION. Fortify Software Security Center displays a message to indicate whether the test was successful.

      Note: If the connection test fails, check the ssc.log file (<fortify.home>/<app_context>/logs directory) to determine the cause.

  13. Before you continue on to the DATABASE SEEDING step, run the create-tables.sql script. For instructions, see About the Fortify Software Security Center Database Tables and  the Schema.

  14. After you initialize the database, click NEXT.
  15. (Linux only) If you are using OpenJDK, make sure that you install DejaVu sans fonts and DejaVu serif fonts on the server. You can download these fonts from https://github.com/dejavu-fonts/dejavu-fonts. Without these fonts, Fortify Software Security Center cannot successfully generate reports.

  16. On the DATABASE SEEDING step, do the following:

    1. In the left panel, use BROWSE to locate and select your Fortify_Process_Seed_Bundle-2020_Q1.zip file, and then click SEED DATABASE.
    2. Use BROWSE to locate and select your Fortify_Report_Seed_Bundle-2020_Q1.zip file, and then click Seed Database.

    3. (Optional) Use BROWSE to locate and select your Fortify_PCI_Basic_Seed_Bundle-2020_Q1.zip file, and then click SEED DATABASE.

      Note: Use the PCI SSF Basic seed bundle to begin to understand how software security issues can affect evaluation under these new PCI SSF standards. For more information, see Unpacking and Deploying Fortify Software Security Center Software.

    4. (Optional) Use BROWSE to locate and select your Fortify_PCI_Basic_Seed_Bundle-2020_Q1.zip file, and then click SEED DATABASE.
    5. (Optional) Use BROWSE to locate and select your Fortify_PCI_SSF_Basic_Seed_Bundle-2020_Q1.zip file, and then click SEED DATABASE.

    For descriptions of the available seed bundlesClosedDownloaded bundles that add basic report, template, and administration account content to the server database during Fortify Software Security Center deployment. The issue template seed bundle provides a default admin user account and issue template data. The report seed bundle provides the default set of Fortify Software Security Center reports. The optional PCI Basic Bundle adds a Payment Card Industry process template and an associated report to the default set of templates and reports., see Unpacking and Deploying Fortify Software Security Center Software.

  17. Click NEXT.
  18. Click FINISH.
  19. Restart Tomcat Server.

After you finish the initial Fortify Software Security Center configuration, complete the configuration of the core parameters and configure additional settings in the ADMINISTRATION view. (For information about the ADMINISTRATION view, see Additional Fortify Software Security Center Configuration.)

Note: If you later find that you need to change any of the configuration settings, you can place Fortify Software Security Center in maintenance mode, and then make any necessary changes. For instructions on how to place Fortify Software Security Center in maintenance mode, see Placing Fortify Software Security Center in Maintenance Mode.

See Also

Configuring Fortify Software Security Center After an Upgrade