Generating Authentication Tokens
You can generate authentication tokens from either the Administration view in Fortify Software Security Center, or from the command-line interface. Only you can see the details of your tokens. A Fortify Software Security Center administrator can extend the life of a token you create, but not beyond the maximum days to live for that token.
Note: Be aware that you can create a token of any type, but if you do not have the permission required to perform the action that the token is designed to perform, you will not be able to use the token.
Generating a Token from the Administration View
To generate an authentication token from the Fortify Software Security Center user interface:
- On the Fortify page header, select Administration.
- In the left pane, expand the Users section, and then select Token Management.
-
On the Token Management toolbar, click NEW to open the Create Token dialog box.
-
From the Token Type list, select the type of token you want to create.
To see a list of available token types, see the table in Generating a Token from the Command Line.
The Create Token dialog box displays a description of the selected token type in the right pane.
-
Use the Expiration calendar control to specify the date on which the token is to expire. (The expiration time is set to the current time on the specified date.)
Note: By default, the expiration date value is set to the maximum number of days to live for the selected token type. You can set this to an earlier date to give the token a shorter life. .
- In the Description box, type a description of the intended use of the new token.
-
Click SAVE.
The Create Token dialog box displays a message to let you know the token was successfully created.
-
At the bottom of the message, copy either the encoded or decoded token string and save it. (Software Security Center will not display these again.)
The Token Management page now lists the new token.
Generating a Token from the Command Line
To generate a token from the command line, run the following:
fortifyclient token -gettoken <token_name> -url <ssc_url> -user <username> ‑password <password>
The following table lists the available <token_name> options.
|
Option |
Description |
|---|---|
| AnalysisDownloadToken | Download merged result files |
|
AnalysisUploadToken |
Upload scan results to Fortify Software Security Center and list applications |
|
AuditToken |
Load details about current security issues and apply analysis tags |
| AutomationToken |
Provides the capability to access most of the REST API endpoints permitted to its issuing user. Intended for use with longer-running automations. Max Usages: Unlimited Max Days to Live: 365 Caution! Because of the access this token provides, and its maximum allowed lifetime, you must take extra care to secure it to reduce risk of API misuse or unintended use. Fortify strongly recommends that you evaluate the planned use of this token and make sure that you limit its life based on your environments' tolerance for risk. |
| CIToken | Enables integration of Software Security Center with continuous integration plugins |
| PurgeProjectVersionToken | Provides the capability to programmatically request a list of all application versions, and to purge application versions from Fortify Software Security Center |
| ReportFileTransferToken | Typically created programmatically by automation scripts using the /fileTokens endpoint to support downloading an existing report within an authenticated session |
|
ReportToken |
Enables users to: Request list of saved reports Request saved report based on the report ID Delete saved reports Return list of saved reports associated with a specific application version Generate new reports |
| ScanCentralCtrlToken |
For ScanCentral communications using the Fortify ScanCentral CLI tools |
| ToolsConnectToken | Use this token with the Fortify Static Code Analyzer applications (including Audit Workbench, IDE plugins, and utilities) that connect to Fortify Software Security Center for collaborative auditing, remediation, and uploading of scan results. |
| UnifiedLoginToken | Enables access to most of the REST API. It is intended for short-run automations that last less than a day. |
Authentication tokens are defined at runtime in WEB-INF/internal/serviceContext.xml.
See Also
Specifying DaysToLive for fortifyclient Authentication Tokens.