Securing the Controller

This topic describes how to create a secure connection (HTTPS) between the Fortify ScanCentral SASTController/Tomcat server and the Fortify ScanCentral SAST client. This procedure requires either a self-signed certificate or a certificate signed by a certificate authority such as VeriSign.

These instructions describe a third-party product and might not match the specific, supported version you are using. See your product documentation for the instructions for your version.

Creating a secure connection using self-signed certificates

To enable SSL on Tomcat using a self-signed certificate:

To generate a keystore that contains a self-signed certificate, open a command prompt and run the following Java keytool command:
```
keytool -genkey -alias <alias_name> -keyalg RSA -keystore <mykeystore>
```

Provide values for the prompts as described in the following table.

Prompt	Description
Enter keystore password:	Type a secure password.
Re-enter new password:	Re-type your secure password.
What is your first and last name?	Type your hostname. You can use your fully qualified domain name here. To provide an IP address as the hostname, you must also provide the `-ext san=ip:<ip_address>` option to keytool. Without this additional option, the SSL handshake fails.
What is the name of your organizational unit?	Name to identify the group that is to use the certificate.
What is the name of your organization?	Name of your organization.
What is the name of your City or Locality?	City or locality in which your organization is located.
What is the name of your State or Province?	State or province in which your organization is located.
What is the two-letter country code for this unit?	For example, if your server is in the United States, type `US`.
Confirm your entries:	Type `yes` to confirm your entries.
Enter key password for <tomcat><Return if same as keystore password>:	Password for your Tomcat server key or press Enter to use the same password you established for your keystore. OpenText recommends that you create a new key password.
Re-enter new password:	Re-type your key password.

To export the certificate from the Tomcat keystore, open a command prompt and type the following:
```
keytool -export -alias <alias_name> -keystore <mykeystore> -file "YourCertFile.cer"
```

Add the following connector to the server.xml file in the tomcat/conf directory:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150" SSLEnabled="true" maxParameterCount="1000">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="<my_keystore>"
      certificateKeystorePassword="<my_password>" type="RSA" />
  </SSLHostConfig>
</Connector>

The default server.xml file installed with Tomcat includes an example <Connector> element for an SSL connector.

Open the <controller_install_dir>/tomcat/webapps/scancentral-ctrl/WEB-INF/classes/config.properties file in a text editor:
Update the this_url property with your HTTPS address and port as shown in the following example:
```
this_url=https://<controller_host>:8443/scancentral-ctrl
```
Restart your Tomcat server.
Set up your clients and sensors.
For information about how to set up the Fortify ScanCentral SAST clients and sensors, see Installing clients and Installing sensors, respectively.
Add your self-signed certificate to the Java keystore on all entities that communicate with the Controller (includes all clients, sensors, and Fortify Software Security Center installations) as follows:
1. For embedded clients and sensors, go to the <sast_install_dir>/jre/bin/ directory where <sast_install_dir> is the directory where the sensor or client is installed.
2. For the installation of standalone clients, type one of the following commands:
  - On a Windows system: cd %JAVA_HOME%\jre\bin
  - On a Linux system: cd $JAVA_HOME/jre/bin
3. Run the following command:
```
keytool -importcert -alias <aliasName> -keystore ../lib/security/cacerts -file "YourCertFile.cer" –trustcacerts
```
  where YourCertFile.cer is the same certificate file that you exported in step 3.

Creating a secure connection using a certificate signed by a certificate signing authority

To enable SSL on Tomcat using a certificate signed by a certificate signing authority:

Use the Java keytool to generate a new keystore containing a self-signed certificate:
```
keytool -genkey -alias <alias_name> -keyalg RSA -keystore <mykeystore>
```

The keytool prompts you for the information described in the following table.

Prompt	Description
Enter keystore password:	Type a secure password.
Re-enter new password:	Re-enter your secure password.
What is your first and last name?	Type your hostname. You can use your fully qualified domain name here. To enter an IP address as the hostname, you must also pass an additional option to keytool, `-ext san=ip:<ip_address>`. Without this additional option, the SSL handshake fails.
What is the name of your organizational unit?	Type the name of the group that is to use the certificate.
What is the name of your organization?	Type the name of your organization.
What is the name of your City or Locality?	Type the city or locality.
What is the name of your State or Province?	Type the state or province.
What is the two-letter country code for this unit?	If your server is in the United States, type `US`.
Confirm your entries:	Type `yes` to confirm your entries.
Enter key password for `<tomcat><Return if same as keystore password>`:	Type a password for your Tomcat server key, or press Return to use the same password you established for your keystore. OpenText recommends that you create a new password.
Re-enter new password:	Re-type your key password.

Generate a Certificate Signing Request (CSR).
To obtain a certificate from a certificate signing authority, you must generate a Certificate Signing Request (CSR). The certificate authority uses the CSR to create the certificate. Create the CSR as follows:
```
keytool -certreq -alias <alias_name> -keyalg RSA -file "yourCSRname.csr" -keystore "<mykeystore>"
```
Send the CSR file to the certificate signing authority you have chosen.
After you receive your certificate from the certificate signing authority, import it into the keystore that you created, as follows:
```
keytool -importcert -alias <alias_name> -trustcacerts -file "YourVerisignCert.crt" -keystore "<mykeystore>"
```
The root CA already exists in the cacerts file of your Java™ Development Kit (JDK), so you are just installing the intermediate CA for your certificate signing authority.
If you purchased your certificate from VeriSign, you must first import the chain certificate. You can find the specific chain certificate on the VeriSign website or click the link for the chain certificate in the email you received from VeriSign with your certificate.
```
keytool -importcert -alias IntermediateCA -trustcacerts -file "chainCert.crt" -keystore "<mykeystore>"
```

Add the following Connector element to the server.xml file in the tomcat/config directory:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150" SSLEnabled="true" maxParameterCount="1000">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="<my_keystore>"
      certificateKeystorePassword="<my_password>" type="RSA" />
  </SSLHostConfig>
</Connector>

The default server.xml file installed with Tomcat includes an example <Connector> element for an SSL connector.

Restart Tomcat server.
Open <controller_install_dir>/tomcat/webapps/scancentral-ctrl/WEB-INF/classes/config.properties file in a text editor.
Update the this_url property with your HTTPS address and port as shown in the following example:
```
this_url=https://<controller_host>:8443/scancentral-ctrl
```