Configuring core settings

In addition to the initial configuration you performed with the Setup wizard, you must also configure several core attributes. These attributes include user account timeout and lockout settings, the display of user information, maximum events per OpenText™ DAST Agent issue, the base URL for the runtime event description server, and an administrator's email address. You also configure the proxy used for Rulepack updates on this page. For information about the Rulepacks updates proxy, see About configuring a proxy for Rulepack updates.

To configure Application Security core settings:

  1. Sign in as an Administrator
  2. On the header, select Administration.

  3. On the navigation pane, expand Configuration, and then select Core.

  4. On the Core page, configure the settings described in the following table.

    Field

    Description

    Absolute session timeout (minutes)

    Number of minutes a user can be continuously active before automatic logout occurs.

    The default value is 240.

    Days before password reset

    Number of days a Application Security password is valid before the user must change it.

    The default value is 30.

    Login attempts allowed before a user is locked out

    Number of times a local user can try to sign in to Application Security using invalid credentials before the user's account is locked.

    If Application Security locks a user out, that user is prevented from attempting a new login for the number of minutes specified in the Lockout time (minutes) box. For information about how to unlock a user account, see Unlocking local user accounts. The default value is 3.

    This setting does not apply to LDAP users. If the account lockout threshold was configured using the Group Policy editor, the LDAP user account could be locked out in Active Directory if consecutive login attempts have failed.

    Lockout time (minutes)

    If a user attempts and fails to sign in to Application Security the number of times specified for Login Attempts before Lockout, Application Security locks the user account for the number of minutes specified in the Lockout time (minutes) box.

    The default value is 30.

    User lookup strategy

    If LDAP is enabled, select one of the following user lookup strategies from this list:

    • Local users first, fallback to LDAP users (compatibility)

      Search local users first, then search LDAP users. To avoid potential authorization errors and user confusion, ensure that usernames are not duplicated on the LDAP server and local storage.

    • LDAP users first, fallback to local users

      Search LDAP users first, then local users. To avoid potential authorization errors and user confusion, ensure that user names are not duplicated on the LDAP server and local storage.

    • LDAP users exclusive, fallback to local administrator

      (Recommended strategy for SSO) Search LDAP users only, and allow local administrator access.

    Display user first/last names and emails in user fields, along with login names

    Select this check box to display the following user information, when applicable: login name, first and last names, and email address.

    Maximum events per WebInspect Agent Issue

    Maximum number of events to log within a single OpenText DAST Agent issue. After that threshold is reached, new events related to the same issue are ignored.

    The default value is 5.

    Inactive session timeout (minutes)

    Number of minutes a user can be inactive before Application Security automatically logs the user off.

    The default value is 30.

    Locale for Rulepacks

    Type one of the following:

    • ja (Japanese)

    • zh_CN (simplified Chinese)

    • zh_TW (traditional Chinese)
    • es (Spanish)
    • pt_BR (Portuguese Brazilian)

    There is no need to specify a value for English.

    Rulepack update URL

    URL for the Rulepack update server. The default value is https://update.fortify.com.

     Do not change the default value of the Rulepack Update URL field unless your Customer Support representative directs you to do so.

    Use SSC proxy for Rulepack update

    Select this check box to enable use of the Application Security proxy, if the Rulepack update server is behind it.

    You must enable and correctly configure the Application Security proxy. For information, see Configuring a proxy for Application Security integrations.

    User administrator's email address (for user account requests)

    Email address of the user who is to receive system email alerts and notifications when email notifications are enabled.

    Requests for new user accounts are sent to this address when the Can't access or need an account? link is available on the sign in dialog box.

    Enable export to CSV from the Dashboard and AUDIT views

    By default, users can export Application Security data displayed in the Dashboard view and the AUDIT page to comma-separated values (CSV) files. You can block this functionality by clearing this check box.

    If you are changing only this setting on the Core page, a server restart is not required to implement the change.

  5. Click SAVE.

  6. Restart the server.

See Also

Unlocking local user accounts