Configuring the ScanCentral SAST Controller

After you install the Controller, edit global properties such as the email address to be used, the shared secret for the Controller (password that Fortify Software Security Center uses when it requests data from the ScanCentral Controller Server that receives the Fortify Static Code Analyzer mobile build sessions and scan instructions from the ScanCentral SAST clients (or project packages with translation and scan instructions), routes the information to ScanCentral SAST sensors, and (optionally) uploads scan results (FPR files) to Fortify Software Security Center.), the shared secret for the sensor, and the Fortify Software Security Center URL (if you plan to upload your FPRs to Fortify Software Security Center).

Caution! To avoid potential conflicts, Fortify recommends that you run the Controller on a Tomcat Server instance other than the instance that Fortify Software Security Center uses.

To configure the Controller:

Navigate to <controller_dir>/tomcat/webapps/scancentral-ctrl/WEB-INF/classes.

Open the config.properties file in a text editor, and then configure the properties listed in the following table.

Property	Description
`accept_job_when_no_sensor_available`	Determines whether scan requests submitted by clients are accepted if no compatible sensors (or compatible versions) are available. The default value is `true`. In the following examples, the option is set to `false`: If version 20.2 clients submit a scan request, and only version 21.2 sensors are available, the scan request is rejected. If a client Requesting program or user in a client/server relationship. For example, the user of a web browser is effectively making client requests for pages from servers all over the web. The browser itself is a client in its relationship with the computer that is getting and returning the requested HTML file. The computer handling the request and sending back the HTML file is a server. submits a request for a scan of code written in .NET, and no .NET sensors are available, the scan is rejected.
`cleanup_period`	Frequency (in minutes) with which expired jobs and sensors are cleaned up. (The default is 60.)
`client_auth_token`	A client authentication token Unique keys that enable users to automate actions within Fortify Software Security Center without using passwords. The user requests a token, authenticates to the Fortify Software Security Center server, and receives back a string that is permissioned for a small set of time-limited actions. Fortify Scan Analytics also generates authentication tokens that are required to configure a connection between Scan Analytics and Fortify Software Security Center. string that contains no spaces or backslashes, used to secure the Controller for use by authorized clients only. If you prefer not to use plain text, you can use an encrypted shared secret as the value for this property. For instructions on how to encrypt a shared secret, see Encrypting the Shared Secret.
`client_auto_update`	If set to `true`, enables the Controller to automatically update all outdated sensors and clients. For details, see Enabling and Disabling Auto-Updates of Clients and Sensors.
`db_dir`	ScanCentral SAST database home directory `db_dir=${catalina.base}/cloudCtrlDb`
`email_allow_list`	Use this property to specify the list of email domains that the Controller can use to send notifications. Examples of valid values: `@yourcompanyname.com` `@yourcompanyname.com` `a@yourcompanyname.com` `name@yourcompanyname.com` To specify multiple values, you can use commas (s), colons (:), or semicolons (;) as delimiters.
`email_deny_list`	Use this property to specify the list of email domains that the Controller cannot use to send notifications. Examples of valid values: `@yourcompanyname.com` `@yourcompanyname.com` `a@yourcompanyname.com` `name@yourcompanyname.com` To specify multiple values, you can use commas (s), colons (:), or semicolons (;) as delimiters.
`fail_job_if_ssc_upload_data_invalid`	If ScanCentral SAST is configured to upload scan results to an application version A particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed. in Fortify Software Security Center, and either the `ScanCentralCtrlToken` token has expired or the specified application A customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version does not exist, scan jobs are run, but the upload to Fortify Software Security Center fails. (The default behavior.) If you set this option to `true`, before the Controller creates a job and assigns it to a sensor, it checks to make sure that the `ScanCentralCtrlToken` token has not expired, and that the application version exists in Fortify Software Security Center. The default value is `false`. If set to `true` and the `ScanCentralCtrlToken` token expires before a scan job is assigned to sensor, the scan does not run and the job fails.
`from_email`	Email address of the sender.
`job_expiry_delay`	Number of hours after a job finishes that the job becomes a candidate for cleanup. Cleanup removes the job directory, removes jobs from the database, and removes information about expired sensors from the database so that they are no longer displayed in Fortify Software Security Center. By default, jobs are deleted from the Controller 168 hours, or 7 days.
`job_file_dir`	Job storage directory.
`lim_license_pool`	Name of the LIM license pool.
`lim_license_pool_password`	Password for the LIM license pool. Note: You can either use a plain text password, or use the `pwtool_keys_file` option to encrypt this password. For information about how to encrypt your passwords, see Encrypting the Shared Secret.
`lim_proxy_server`	LIM proxy server A computer that serves as an intermediary between a workstation user and the Internet. Requests for Internet services made by the client (the workstation) must pass through the proxy server, as also do the web server responses. You can use a proxy server to increase network security, provide adequate caching space, and regulate administrative control. IP address.
`lim_proxy_url`	To access the LIM server when the sensor is behind a proxy, configure the proxy server.
`lim_proxy_user`	LIM proxy username If authentication Identity verification, typically with passwords. Authentication precedes authorization. is required for the LIM proxy server.
`lim_proxy_password`	Password for the LIM proxy user. Note: You can either use a plain text password, or use the `pwtool_keys_file` option to encrypt this password. For information about how to encrypt your passwords, see Encrypting the Shared Secret.
`lim_server_url`	URL for the License and Infrastructure Manager (LIM) server Root Web Site.
`max_upload_size`	Maximum size (MB) of files that can be uploaded to the Controller from clients or sensors (for example, log files, result files, job files).
`pool_mapping_mode`	Used to configure different modes for mapping scan requests to sensor pools. For information about the valid values for `pool_mapping_mode`, see About the pool_mapping_mode Property.
`pwtool_keys_file`	Path to a file with pwtool keys. If encoded passwords are used, this must point to a file with the pwtool keys used to encode the passwords. Otherwise you can comment it out. `pwtool_keys_file=${catalina.base}/pwtool.keys`
`remote_ip_proxy_header`	Remote IP proxy header
`scan_timeout`	Maximum amount of time (in minutes) sensors can process a scan job and be prevented from doing other jobs. After the specified number of minutes is reached, a scan job is cancelled. This setting is applied to all sensors associated with the Controller but can be overridden if the `-sto` command-line option is specified for a given job. For information about the `‑sto` option, see Setting the Maximum Run Time for Scans and Global Options
`smtp_host`	SMTP server host name.
`smtp_port`	SMTP server port number.
`smtp_ssl`	If set to `true`, the Controller uses SSL for connections to the SMTP server. Otherwise, it does not use SSL (default).
`smtp_ssl_check_trust`	If set to `false,` the SMTP server certificate A certificate states that a specific website is secure and genuine. It ensures that no other website can assume the identity of the original secure site. When sending personal information over the Internet, users should check the certificate of the website to ensure that it protects personally identifiable information. When downloading software from a website, certificates verify that the software is coming from a known, reliable source. A security associates an identity with a public key. Only the owner of the certificate knows the corresponding private key, which allows the owner to make a “digital signature” or decrypt information encrypted with the corresponding public key. is always trusted. Otherwise, the certificate trust is based on the certification path (the default).
`smtp_ssl_check_server_identity`	If set to `false`, STMP server identity is not checked. Otherwise, the Controller checks server identity, as specified by RFC 2595 (the default).
`smtp_auth_user` / `smtp_auth_pass`	If your SMTP server requires authentication, uncomment both the `smtp_auth_user` and `smtp_auth_pass` properties and set their values. Otherwise, leave both properties commented. You can use either a plain text password or a password encoded using pwtool for `smtp_auth_pass`.
`ssc_lockdown_mode`	If set to `true`, ScanCentral SAST clients Build machines that use Fortify Static Code Analyzer to translate code and generate a mobile build session (MBS) file. The MBS is uploaded to the ScanCentral Controller. The interface for issuing ScanCentral SAST commands is installed on the build machine, is used to create an MBS, and communicate your intentions to the ScanCentral Controller. are forced to work with the ScanCentral Controller through Fortify Software Security Center. Jobs must be uploaded to a Fortify Software Security Center application version (a job cannot be started without the upload). In SSC lockdown mode, users cannot assign scans to specific sensor pools manually. Instead , the mapping configured on Fortify Software Security Center for the selected application version is applied. In SSC lockdown mode, you: Cannot use the client command `-url` option, but must use the `-ssc_url` option with the `-ssc_token` option instead Must specify the application name and version, or the application version id, and the `-upload` option when starting the scan Cannot specify the `-pool` option, because the job is assigned to the pool configured for the specified application version
`ssc_scancentral_ctrl_secret`	Password that Fortify Software Security Center uses to request data from the Controller. Specify a string that contains no spaces or backslashes. (Optional) Use an encrypted shared secret. For instructions on how to encrypt a shared secret, see Encrypting the Shared Secret. Note: The `ssc_cloudctrl_secret` option is supported for backward compatibility with Fortify CloudScan.
`ssc_remote_ip`	Remote IP address You can configure an allowed remote IP address for Fortify Software Security Center. Only requests with a matching remote IP address are allowed.
`ssc_remote_ip_header`	Remote IP HTTP header, where the Fortify Software Security Center remote IP is found if `ssc_remote_ip_trusted_proxies_range` is set. The default value is `X-FORWARDED-FOR`.
`ssc_remote_ip_trusted_proxies_range`	Remote IP range (in CIDR format) Set this if Fortify Software Security Center accesses the Controller via (reverse) proxy server. You can specify comma-separated IP addresses or CIDR network ranges. This is disabled by default, which means that `ssc_remote_ip_header` is never used to retrieve the remote IP address for Fortify Software Security Center.
If your remote IP address is different than the configured Fortify Software Security Center URL, you can use one of the following properties to set up the remote IP address.
`ssc_trusted_proxies_remote_ip`	If `remote_ip_proxy_header` is set, you must also specify a value for this property.
`ssc_url`	URL for the Fortify Software Security Center server; all uploads are sent to this address. Example: `https://<ssc_host>:<port>/ssc` `https://<ssc_host>:<port>/<context_path>`
`this_url`	URL for the Controller; used in emails to refer to this server for manual job result downloads. Example: `https://<controller_host>:8443/scancentral-ctrl`
`use_starttls`	Used to support STARTTLS. If set to `true`, use the STARTTLS protocol command (Opportunistic SSL/TLS) to inform the SMTP server that the email client wants to upgrade from an insecure connection to a secure connection using SSL/TLS. The default is `false`.
`worker_auth_token`	A string that contains no spaces or backslashes used to secure the Controller for use by authorized sensors only. If you prefer not to use plain text, you can use an encrypted shared secret as the value for this property. For instructions on how to encrypt a shared secret, see Encrypting the Shared Secret on the Controller.
`worker_expiry_delay`	Number of hours after a sensor stops communicating that it becomes a candidate for cleanup. (The default is 168 hours, or 7 days.)
`worker_inactive_delay`	Number of minutes after a sensor becomes inactive that all of its unfinished jobs are marked as faulted. Assign a value that is much larger than `worker_stale_delay`. Note that this option uses different time units than does `worker_stale_delay`.
`worker_stale_delay`	Number of seconds after a sensor stops communicating that it becomes stale. Assign a value that is larger than the `worker_sleep_interval` and `worker_jobwatcher_interval`defined for any sensor.

Save and close your config.properties file.
Start the Controller. (For instructions, see Starting the ScanCentral SAST Sensors.)

See Also

Installing the Controller

Stopping the Controller

Placing the ScanCentral SAST Controller in Maintenance Mode

Configuring Job Cleanup Timing on Sensors