Encrypting the Shared Secret

Passwords exist in the ScanCentral Controller Server that receives the Fortify Static Code Analyzer mobile build sessions and scan instructions from the ScanCentral SAST clients (or project packages with translation and scan instructions), routes the information to ScanCentral SAST sensors, and (optionally) uploads scan results (FPR files) to Fortify Software Security Center. and sensor configuration files as plain text. If you prefer to encrypt your passwords, you can.

You can use encrypted keys as values for:

• worker_auth_token, smtp_auth_pass, ssc_scancentral_ctrl_secret, lim_license_pool_password, lim_proxy_password, and lim_proxy_user properties in the config.properties file on the Controller
• worker_auth_token property in the worker.properties file on a sensor
• client_auth_token property in the client.properties file on a client Requesting program or user in a client/server relationship. For example, the user of a web browser is effectively making client requests for pages from servers all over the web. The browser itself is a client in its relationship with the computer that is getting and returning the requested HTML file. The computer handling the request and sending back the HTML file is a server.

Encrypting the Shared Secret on the Controller

To encrypt a shared secret on the Controller:

1. Run one of the following:

   • On a Windows system, <controller_dir>/bin/pwtool.bat <pwtool_keys_file>
   • On a Linux system, <controller_dir>/bin/pwtool <pwtool_keys_file>

2. When prompted, type the password to encode, and then press Enter.

   Note: For the sake of security, make sure that the pwtool key file you use to encrypt secrets for sensors is different from the pwtool key file you use to encrypt secrets on the Controller.

   The pwtool generates a new key stored in the file on the path specified in step 1, or reuses an existing file on specified path.

3. Copy the new encrypted secret, and paste it as the value for one of the following properties in the config.properties file:

   • worker_auth_token
   • smtp_auth_pass
   • ssc_scancentral_ctrl_secret

   • client_auth_token

   Tip: Fortify recommends that you assign separate, unique shared secrets for the worker_auth_token, smtp_auth_pass, and ssc_scancentral_ctrl_secret properties.

4. Create two additional encrypted shared secrets (steps 1 and 2) and, in the config.properties file, paste these as values for the two properties to which you did not already assign an encrypted secret in step 3.
5. Uncomment the following line (property) in the config.properties file:

   pwtool_keys_file=<pwtool_keys_file>

6. Save the config.properties file.

Encrypting the Shared Secret on a Sensor

To encrypt a shared secret on a sensor:

1. Run one of the following:

   • On a Windows system, <sca_install_dir>\bin\pwtool.bat <pwtool_keys_file>
   • On a Linux system, <sca_install_dir>/bin/pwtool <pwtool_keys_file>

2. When prompted, type the password to encode, and then press Enter.

   The pwtool generates a new pwtool.keys file to <pwtool_keys_file> and prints a new encrypted secret to the console.

3. Copy the encrypted secret, and paste it as the value for worker_auth_token property in the worker.properties file.

4. Add the following line (property) to the worker.properties file:

   pwtool_keys_file=<pwtool_keys_file>

Encrypting the Shared Secret on a Client

To encrypt a shared secret on a client:

1. Run one of the following commands.

   • On a Windows system:

     • For a client used as part of Fortify Static Code Analyzer and applications, run <sca_install_dir>\bin\pwtool.bat <pwtool_keys_file>
     • For a standalone client ScanCentral SAST client that runs outside of SCA and Apps., run <client_install_dir>\bin\pwtool.bat <pwtool_keys_file>

   • On a Linux system:

     • For a client used as part of Fortify Static Code Analyzer and applications, run <sca_install_dir>/bin/pwtool <pwtool_keys_file>
     • For a standalone client, run <client_install_dir>/bin/pwtool <pwtool_keys_file>

2. When prompted, type the password to encode, and then press Enter.

   The pwtool generates a new key in the file on the specified path, or reuses an existing file and prints the encrypted password.

3. Copy the new encrypted secret, and paste it as the value for the client_auth_token property in the client.properties file.

4. Add the following to the client.properties file:

   pwtool_keys_file=<pwtool_keys_file>

See Also

Configuring the ScanCentral SAST Controller

Creating ScanCentral SAST Sensors