Using HTTPS and SSL communications

OpenText strongly recommends that you configure Application Security and OpenText Application Security Software client products (including Fortify Audit Workbench, fortifyclient, and the Secure Code Plugins) to use HTTPS and Secure Sockets Layer (SSL) for all communications.

If you are using a third-party certificate purchased from and signed by a trusted root CA such as VeriSign, Entrust, or Thawte, you do not need to do anything on the client side to use HTTPS to communicate with Application Security. The certificate is trusted because these root CA certificates are in the keystore that OpenText Application Security Software client products use.

However, by default, Application Security, OpenText Application Security Tools, and the fortifyclient utility do not trust self-signed certificates or certificates signed by an internal or local signing authority. In this case, to use HTTPS to communicate with Application Security, you must import the self- or locally-signed certificate into the Java Runtime certificate store.

If you used a third-party Certification Authority to issue a locally-signed certificate, ensure that you import the CA certificate chain you used to issue the certificate.

To install a self-signed or locally-signed certificate into the keystore that Application Security and OpenText Application Security Tools use, do the following on every machine on which any of these products is installed:

  • Open a command prompt, and then run the following:

    cd "<tools_install_dir>/jre/bin"
    keytool -importcert -alias SSC -keystore ../lib/security/cacerts -file
    "YourCertFile.cer" -trustcacerts

    where

    • <tools_install_dir> is the installation directory for the OpenText Application Security Tools

    • YourCertFile.cer is the same certificate file that you imported on Tomcat server

    If, for some reason, the certificate file is not available, you can export it from the keystore Tomcat server uses, as follows:

    cd <java_home>/jre/bin
    keytool -exportcert -alias SSC -keystore <keystore_used_by_tomcat> -file YourCertFile.cer

    You can use any name you want for the alias. These examples use SSC.

When you create a self-signed certificate interactively with the Java keytool, you are prompted to provide your first and last names. Provide the fully-qualified domain name of the server that hosts Application Security. Do not simply use the short hostname or localhost.

When you create a connector in the server.xml file for HTTPS, ensure that you include the attribute keyAlias, using the name of the alias for the certificate in your keystore. Otherwise, if the keystore contains multiple certificates, it uses the first certificate it finds.