Configuring Fortify Software Security Center for the First Time

After you deploy Fortify Software Security Center for the first time and then enter the Fortify Software Security Center URL in a browser window, the Fortify Software Security Center Setup wizard (Setup wizard) opens. Here, you can complete the steps for the initial server configuration. The Setup wizard is available to administrators only after you first deploy Fortify Software Security Center, after you upgrade it, or after you place Fortify Software Security Center in maintenance mode (see Placing Fortify Software Security Center in Maintenance Mode).

To configure Fortify Software Security Center for the first time:

  1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat Server, open a browser window and type your Fortify Software Security Center server URL (https://<host_IP>:<port>/<app_context>/).

    Note: For a normal deployment, the default Fortify Software Security Center URL is <protocol>://<ssc_host>:<port>/ssc. For a deployment to a Kubernetes cluster, the default URL is <protocol>://<ssc_host>:<port>/ (without ssc at the end).

    If you deploy Fortify Software Security Center using a distributed WAR file without renaming the ssc.war file, app_context will be ssc unless it is overwritten by the Tomcat server configuration.

  2. In the upper right corner of the web page, click ADMINISTRATORS.

  3. Go to the <fortify.home><app_context> directory (see About the <fortify.home> Directory), and open the init.token file in a text editor. (If Tomcat is running as Windows service, then you can find the init.token file in %SystemRoot%\System32\config\systemprofile\.fortify\ssc\init.token).

  4. Copy the contents of the init.token file to the clipboard.

  5. On the web page, paste the string you copied from the init.token file into the text box, and then click SIGN IN.

  6. Read the information on the START page of the Fortify Software Security Center Setup wizard, and then click NEXT.

  7. On the CONFIGURATION step, under UPLOAD FORTIFY LICENSE, do the following:

    1. Click UPLOAD.

    2. Browse to and select your fortify.license file, and then click UPLOAD.

    If the license you entered is invalid or expired, Fortify Software Security Center displays a message to that effect.

    The right pane displays the default path of the configuration directory in which your configuration files (app.properties, datasource.properties and version.properties) are to reside.

  8. Read the warning note about sensitive information in the configuration file directory. For information on how to change the location of this directory, see About the <fortify.home> Directory.

  9. Select the I have read and understood this warning check box, and then click NEXT.

  10. On the CORE CONFIGURATION SETTINGS step, do the following:

    1. In the left pane, under FORTIFY SOFTWARE SECURITY CENTER URL, type the URL for your Fortify Software Security Center server.
    2. In the center pane, select the Enable HTTP host header validation check box to ensure that the HTTP Host header value matches the value configured in the Fortify Software Security Center URL (host.url property). Both the host and port must match. This affects both browsers and direct REST APIs access. If validation is turned off, any HTTP Host header can access Fortify Software Security Center.

    3. To enable global searches in Fortify Software Security Center, in the GLOBAL SEARCH pane, select the Enable global search check box.

    4. The text box below the check box displays the default location for the search index files. If you prefer a different location, type a different directory path for your search index files. (Passwords are not indexed.)

      Note: The optimum disk size for the requisite indexing for global searches varies based on the characteristics of the data, but the Lucene indexes are much smaller than the data in the database. For example, the index size required for a database issue volume of 18 GB (with db indexes) is approximately 2 GB.

      Note: Because indexed data can include sensitive information (user names, email addresses, vulnerability categories, issue file names, and so on), make sure that you select a secure location to which only Tomcat Server user has read and write access.

    5. Read the warning in the GLOBAL SEARCH pane, and then select the I have read and understood this warning check box.

  11. Click NEXT.

  12. On the DATASOURCE step, do the following:

    1. From the DATABASE TYPE list, select the database type you are using with Fortify Software Security Center.

    2. Under DATABASE USERNAME, type the username for your Fortify Software Security Center database. For more information, see Database User Account Privileges.

    3. Under DATABASE PASSWORD, type the password for your Fortify Software Security Center database account.

      Note: Make sure that the database user credentials specified in the DATABASE USERNAME and DATABASE PASSWORD fields are for a user account that has the privileges required to execute migration scripts. These privileges are described in Database User Account Privileges.

    4. Under JDBC URL, type the URL for the Fortify Software Security Center, keeping in mind the following:

      For MySQL databases -

      • If MySQL server is configured to use the sha256_password or the caching_sha2_password authentication plugin, you must provide the server RSA public key to the JDBC driver with the serverRsaPublicKeyFile option. Alternatively, you can use the less secure allowPublicKeyRetrieval option. For more detail, see the MariaDB Connector/J and MySQL server documentation (https://mariadb.com/kb/en/mariadb-connector-j andhttps://dev.mysql.com/doc).

      • If you are using a MySQL Server database, you must add the following to the end of the URL:

        - rewriteBatchedStatements=true
        - sessionVariables=collation_connection=COLLATION

        where COLLATION represents the collation type of your database

        Examples:

        jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_connection=utf8_bin&rewriteBatchedStatements=true

        jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true

        MariaDB JDBC driver is used to connect to the MySQL database server. Any additional JDBC URL parameters must use MariaDB driver syntax.

      For MSSQL Server databases -

      • If you are using a MSSQL Server database, you must add the following property setting to the end of the URL:

        sendStringParametersAsUnicode=false

        jdbc:sqlserver://<host>:1433;database=<database_name>; sendStringParametersAsUnicode=false

      • Caution! Fortify Software Security Center ships with a MSSQL JDBC Driver version that requires an encrypted connection and a trusted server certificate by default. If the connection fails as a result of certificate verification, Fortify recommends that you provide the trust store. If providing a trust store is not an option, you can disable trust verification. If the certificate is trusted but the certificate DNS name does not match the database server hostname, use the hostNameInCertificate connection property to provide the correct hostname.

        For more information, see hostNameInCertificate, trustServerCertificate, and trustStore* JDBC URL properties in the "Setting the connection properties" article at https://learn.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties.

    5. MAXIMUM IDLE CONNECTIONS, type the maximum number of idle connections that can remain in the pool. The default value is 50.

    6. MAXIMUM ACTIVE CONNECTIONS, type the maximum number of active connections that can remain in the pool. The default value is 100.

    7. MAXIMUM WAIT TIME (MS), type the maximum number of milliseconds for the pool to wait for a connection (when no connections are available) before the system throws an exception. The default value is 60000. To extend the wait indefinitely, set the value to zero (0).

    8. To test your settings, click TEST CONNECTION. Fortify Software Security Center displays a message to indicate whether the test was successful.

      Note: If the connection test fails, check the ssc.log file (<fortify.home>/<app_context>/logs directory) to determine the cause.

  13. Before you continue on to the DATABASE SEEDING step, the create-tables.sqlscript. For instructions, see About the Fortify Software Security Center Database Tables and Schema.

    Note: If you automate Fortify Software Security Center configuration and you have enabled database migration in the <app_context>.autoconfig file, you do not need to run the create-tables.sql script. For information about how to automate Fortify Software Security Center configuration, see Automating Fortify Software Security Center Configuration.

  14. After you initialize the database, click NEXT.
  15. (Linux only) On Linux systems, make sure the fontconfig library, DejaVu sans fonts, and DejaVu serif fonts are installed on the server.

  16. On the DATABASE SEEDING step, do the following:

    1. In the left pane, use BROWSE to locate and select your Fortify_Process_Seed_Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.
    2. Use BROWSE to locate and select your Fortify_Report_Seed_Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

    3. (Optional) Use BROWSE to locate and select your Fortify_PCI_SSF_Basic_Seed_Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

      Note: Use the PCI SSF Basic seed bundle to begin to understand how software security issues can affect evaluation under these new PCI SSF standards. For more information, see Unpacking and Deploying Fortify Software Security Center Software.

    4. (Optional) Use BROWSE to locate and select your Fortify_PCI_Basic_Seed_Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

    For descriptions of the available seed bundles, see Unpacking and Deploying Fortify Software Security Center Software.

  17. Click NEXT.
  18. Click FINISH.
  19. Restart Tomcat Server.

After you finish the initial Fortify Software Security Center configuration, complete the configuration of the core parameters and configure additional settings in the Administration view. (For information about the Administration view, see Additional Fortify Software Security Center Configuration.)

Note: If you later find that you need to change any of the configuration settings, you can place Fortify Software Security Center in maintenance mode, and then make any necessary changes. For instructions on how to place Fortify Software Security Center in maintenance mode, see Placing Fortify Software Security Center in Maintenance Mode.

See Also

Configuring Fortify Software Security Center After an Upgrade