Configuring Application Security for the first time

After you deploy Application Security for the first time and then enter the Application Security URL in a browser window, the Setup wizard opens. Use the Setup wizard to complete the steps for the initial server configuration. The Setup wizard is available to administrators only after you first deploy Application Security, after you upgrade it, or after you place Application Security in maintenance mode (see Placing Application Security in maintenance mode).

To configure Application Security for the first time:

1. After you deploy a new version of the Application Security WAR file to Tomcat server, open a browser window and type your Application Security server URL (<protocol>://<hostname>:<port>/<app_context>).

   For a standard deployment, the default Application Security URL is <protocol>://<hostname>:<port>/ssc. For a deployment to a Kubernetes cluster, the default URL is <protocol>://<hostname>:<port> (without ssc at the end).

   If you deploy Application Security using a distributed WAR file without renaming the ssc.war file, <app_context> is ssc unless it is overwritten by the Tomcat server configuration.

2. On the upper-right of the webpage, click ADMINISTRATORS.

3. Open the <fortify.home>/<app_context>/init.token file in a text editor.

   If Tomcat is running as a Windows service, then you can find the init.token file in %SystemRoot%\System32\config\systemprofile\.fortify\ssc\init.token.

4. Copy the contents of the init.token file to the clipboard.

5. In the Setup wizard sign in, paste the string you copied from the init.token file into the Security Token box, and then click SIGN IN.

6. Read the information on the Setup wizard START page, and then click NEXT.

7. On the CONFIGURATION page, under UPLOAD FORTIFY LICENSE, do the following:

   1. Click UPLOAD.

   2. Browse to and select your fortify.license file, and then click UPLOAD.

   The Setup wizard displays the default path of the configuration directory where your configuration files (app.properties, datasource.properties and version.properties) will reside.

8. Read the warning note about sensitive information in the configuration file directory, select the I have read and understood this warning check box, and then click NEXT.

   For information on how to change the location of this directory, see About the <fortify.home> directory.

9. On the CORE CONFIGURATION SETTINGS page, do the following:

   1. Under FORTIFY SOFTWARE SECURITY CENTER URL, type the URL for your Application Security server.

   2. Select the Enable HTTP host header validation check box to ensure that the HTTP Host header value matches the value configured in the Application Security URL (host.url property).

      Both the host and port must match. This affects both browsers and direct REST API access. If validation is turned off, any HTTP Host header can access Application Security.

   3. To enable global searches, in the GLOBAL SEARCH pane, do the following:

      1. Select the Enable global search check box.

      2. The text box below the check box displays the default location for the search index files. If you prefer a different location, type a different directory path for your search index files. Passwords are not indexed.

         Because indexed data can include sensitive information (user names, email addresses, vulnerability categories, issue file names, and so on), ensure that you select a secure location to which only Tomcat server user has read and write access.

         The optimum disk size for the requisite indexing for global searches varies based on the characteristics of the data, but the Lucene indexes are much smaller than the data in the database. For example, the index size required for a database issue volume of 18 GB (with db indexes) is approximately 2 GB.

      3. Read the warning in the GLOBAL SEARCH pane, and then select the I have read and understood this warning check box.

10. Click NEXT.

11. On the DATASOURCE page, do the following:

    1. From the DATABASE TYPE list, select the database type you are using for Application Security.

    2. In the DATABASE USERNAME box, type the user name for your database account.

       For more information, see Database user account permissions.

    3. In the DATABASE PASSWORD box, type the password for your database account.

       Ensure that the database user credentials specified in the DATABASE USERNAME and DATABASE PASSWORD fields are for a user account that has the permissions required to execute migration scripts. These permissions are described in Database user account permissions.

    4. In the JDBC URL box, type the URL for Application Security, keeping in mind the following:

       For MySQL databases:

       • If MySQL server is configured to use the sha256_password or the caching_sha2_password authentication plugin, you must provide the server RSA public key to the JDBC driver with the serverRsaPublicKeyFile option. Alternatively, you can use the less secure allowPublicKeyRetrieval option. For more information, go to the MariaDB Connector/J and MySQL server documentation.

       • You must append the following two statements at the end of the JDBC URL:

         sessionVariables=collation_connection=<collation>
         rewriteBatchedStatements=true
         

         where <collation> represents your database collation type.

         Examples:

         jdbc:mysql://<host>:3306/ssc?sessionVariables=collation_connection=utf8mb3_bin&rewriteBatchedStatements=true
         
         jdbc:mysql://<host>:3306/ssc?sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true
         

         MariaDB JDBC driver connects to the MySQL database server. Any additional JDBC URL parameters must use MariaDB driver syntax.

       For SQL Server databases:

       • You must append the following property setting to the end of the JDBC URL: sendStringParametersAsUnicode=false

         Example:

         jdbc:sqlserver://<host>:1433;database=<database_name>; sendStringParametersAsUnicode=false

         Application Security includes a SQL Server JDBC driver version that requires an encrypted connection and a trusted server certificate by default. If the connection fails as a result of certificate verification, OpenText recommends that you provide the trust store. If providing a trust store is not an option, you can disable trust verification. If the certificate is trusted but the certificate DNS name does not match the database server hostname, use the hostNameInCertificate connection property to provide the correct hostname.
         
         For more information, see hostNameInCertificate, trustServerCertificate, and trustStore* JDBC URL properties in the Setting the connection properties article.

    5. In the MAXIMUM IDLE CONNECTIONS box, type the maximum number of idle connections that can remain in the pool.

       The default value is 50.

    6. In the MAXIMUM ACTIVE CONNECTIONS box, type the maximum number of active connections that can remain in the pool.

       The default value is 100.

    7. In the MAXIMUM WAIT TIME (MS) box, type the maximum number of milliseconds for the pool to wait for a connection (when no connections are available) before the system throws an exception.

       The default value is 60000. To extend the wait indefinitely, set the value to zero.

    8. To test your settings, click TEST CONNECTION.

       If the connection test fails, check the ssc.log file in the <fortify.home>/<app_context>/logs directory to determine the cause.

12. Click DOWNLOAD SCRIPT to download the create-tables.sql, and then run the script.

    If you automate the Application Security configuration and you have enabled database migration in the <app_context>.autoconfig file, you do not need to run the create-tables.sql script. For information about how to automate the configuration, see Automating Application Security configuration.

13. After you initialize the database, click NEXT.

14. On the DATABASE SEEDING page, do the following:

    1. Click BROWSE to locate and select your Fortify_Process_Seed_Bundle-2025_Q2_<build>.zip file, and then click SEED DATABASE.
    2. Click BROWSE to locate and select your Fortify_Report_Seed_Bundle-2025_Q2_<build>.zip file, and then click SEED DATABASE.

    3. (Optional) Click BROWSE to locate and select your Fortify_PCI_SSF_Basic_Seed_Bundle-2025_Q2_<build>.zip file, and then click SEED DATABASE.

    4. (Optional) Click BROWSE to locate and select your Fortify_PCI_Basic_Seed_Bundle-2025_Q2_<build>.zip file, and then click SEED DATABASE.

    For descriptions of the available seed bundles, see Downloading and unpacking Application Security files.

15. Click NEXT, and then click FINISH.
16. On Linux systems only, ensure the fontconfig library, DejaVu Sans fonts, and DejaVu Serif fonts are installed on the server so that users can generate BIRT reports.
17. Restart Tomcat server.

After you finish the initial Application Security configuration, then you can complete the configuration of the core attributes and additional settings. For information, see Additional Application Security configuration.

If you later need to change any of the configuration settings, you can place Application Security in maintenance mode, and then make any necessary changes. For instructions on how to place Application Security in maintenance mode, see Placing Application Security in maintenance mode.

See Also

Configuring Application Security after an upgrade