Automating Fortify Software Security Center Configuration

You can automate Fortify Software Security Center configuration before deployment using the autoconfig file. This file includes sections for each configurable aspect of Fortify Software Security Center. The autoconfig file enables automated deployment by providing settings and seed bundles for silent Fortify Software Security Center update and installation. You can use the autoconfig file to automate all Setup wizard tasks. The Setup wizard picks this file up at server startup and automates the entire installation.

Note: The datasource.properties file and some database fields contain encrypted entries that rely on the secret.key file. So, if you are moving your Fortify Software Security Center instance from one computer to another, you must also move the secret.key file (not just your properties file).

To automate Fortify Software Security Center configuration:

  1. Open a text editor and create a file named <app_context>.autoconfig, where <app_context> is the application server context in which Fortify Software Security Center is deployed (the name of the directory created under fortify.home). The file name must match the application context name (for Fortify Software Security Center, <app_context>.autoconfig) with the exception of ROOT context (_default_.autoconfig).

  2. Add the following to the <app_context>.autoconfig file, in the YAML format shown.

    Note: Copy only the properties for the database engine you use, and make sure that you remove the hash symbol (#) before each property. 

     appProperties:
    # Include any property found in <fortify.home>/<app_context >/conf/app.properties.
# For example, host.url: 'http://ssc.example.org:8888/ssc'
# searchIndex.location: '/home/ssc/search_index'
# host.validation: false

    datasourceProperties:
    # Include any property found in <fortify.home>/<app_context>/conf/datasource.properties.
# For example:
# db.username: ssc_db_admin_username
# db.password: ssc_db_admin_password
       # MSSQL database
# jdbc.url: 'jdbc:sqlserver://mssql-host:1433;database=ssc_db;sendStringParametersAsUnicode=false'
        # MySQL database
# jdbc.url: 'jdbc:mysql://mysql-host:3306/ssc_db? sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true'
        # Oracle database
# jdbc.url: 'jdbc:oracle:thin:oracle-host:1521:ssc_db'

     dbMigrationProperties:
    # Enable automatic database migration
migration.enabled: true
# Optionally specify alternative migration credentials
# migration.username: ssc_db_admin_username
# migration.password: ssc_db_admin_password

    seeds:
    # modify the path to the appropriate location for your environment 
- '/home/ssc/bundles/Fortify_Process_Seed_Bundle-2023_Q1_<build>.zip'
- '/home/ssc/bundles/Fortify_PCI_Basic_Seed_Bundle-2023_Q1_<build>.zip'
- '/home/ssc/bundles/Fortify_PCI_SSF_Basic_Seed_Bundle-2023_Q1_<build>.zip'
- '/home/ssc/bundles/Fortify_Report_Seed_Bundle-2023_Q1_<build>.zip'
  3. Save the file in <fortify.home> (%USERPROFILE%\.fortify on Windows systems).

  4. Place a copy of the fortify.license file in your <fortify.home> folder.

  5. Start Tomcat Server.

  6. Save the <app_context>.autoconfig file and then restart Fortify Software Security Center.

At the end of auto-configuration, Fortify Software Security Center computes the effective configuration checksum and saves it in the version.properties file as the value for the autoconfig.checksum property.

When Fortify Software Security Center starts with the <app_context>.autoconfig file present, it computes an effective configuration checksum and compares it to the checksum stored in the version.properties file. If the checksums do not match, Fortify Software Security Center runs a lightweight auto-configuration, and updates the autoconfig.checksum value.

If auto-configuration fails for any reason, Fortify Software Security Center is set to maintenance mode (maintenance.mode=true in the version.properties file) and forces either full auto-configuration or the display of the Setup wizard on the next server startup.

The checksum includes:

Properties from dbMigrationProperties are not included in the checksum.

Fortify Software Security Center performs full auto-configuration only if it is not fully configured. Fortify Software Security Center performs lightweight auto-configuration only if the checksums do not match but it is otherwise already configured.

Lightweight auto-configuration skips database migration (regardless of what is set in the ssc.autoconfig file) and it skips the initial internal bundle seeding. Seeding of bundles provided by autoconfig seeds is still performed.