Automating Application Security configuration

You can automate Application Security configuration before deployment using the autoconfig file. This file includes sections for each configurable aspect of Application Security. The autoconfig file enables automated deployment by providing settings and seed bundles for silent Application Security update and installation. You can use the autoconfig file to automate all Setup wizard tasks. The Setup wizard picks up this file at server startup and automates the entire installation.

The datasource.properties file and some database fields contain encrypted entries that rely on the secret.key file. So, if you are moving your Application Security instance from one computer to another, you must also move the secret.key file (not just your properties file).

To automate Application Security configuration:

To automate the configuration in a root context, see Automating configuration in a root context.

  1. Open a text editor and create a file named <app_context>.autoconfig, where <app_context> is the application server context in which Application Security is deployed (the name of the directory created under <fortify.home>).

  2. Add the following to the <app_context>.autoconfig file in the YAML format shown.

    Copy only the database properties for the database engine you use, and ensure that you remove the hash symbol (#) before each property you want to use.

    appProperties:
 # Include any property found in <fortify.home>/<app_context>/conf/app.properties
 # For example, host.url: 'https://ssc.example.com/ssc/'
 # searchIndex.location: '/home/<app_context>/search_index' 
 # host.validation: false
datasourceProperties: 
 # Include any property found in <fortify.home>/<app_context>/conf/datasource.properties 
 # For example: 
 # db.username: ssc_db_admin_username 
 # db.password: ssc_db_admin_password  
 # SQL Server database 
 # jdbc.url: 'jdbc:sqlserver://mssql-host:1433;database=ssc_db;sendStringParametersAsUnicode=false' 
 # SQL Server database 
 # jdbc.url: 'jdbc:mysql://mysql-host:3306/ssc_db? sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true' 
 # Oracle database 
 # jdbc.url: 'jdbc:oracle:thin:oracle-host:1521:ssc_db' 
dbMigrationProperties: 
 # Enable automatic database migration 
 migration.enabled: true 
 # Optionally specify alternative migration credentials 
 # migration.username: ssc_db_admin_username 
 # migration.password: ssc_db_admin_password 
seeds: 
 # Modify the path to the appropriate location for your environment  
 - '/home/ssc/bundles/ Fortify_Process_Seed_Bundle-2025_Q2_<build>.zip ' 
 - '/home/ssc/bundles/ Fortify_PCI_Basic_Seed_Bundle-2025_Q2_<build>.zip ' 
 - '/home/ssc/bundles/ Fortify_PCI_SSF_Basic_Seed_Bundle-2025_Q2_<build>.zip ' 
 - '/home/ssc/bundles/ Fortify_Report_Seed_Bundle-2025_Q2_<build>.zip '
  3. Save the <app_context>.autoconfig file in the <fortify.home>/ directory.

  4. Place a copy of the fortify.license file in your <fortify.home>/ directory.

  5. Ensure that the WAR file name is <app_context>.war .

  6. Start Tomcat server.

After the auto-configuration is complete, Application Security computes the effective configuration checksum and saves it in the version.properties file as the value for the autoconfig.checksum property.

When Application Security starts with the autoconfig file present, it computes an effective configuration checksum and compares it to the checksum stored in the version.properties file. If the checksums do not match, Application Security runs a lightweight auto-configuration, and updates the autoconfig.checksum value.

If the auto-configuration fails for any reason, Application Security is put to maintenance mode (maintenance.mode=true in the version.properties file, which forces either full auto-configuration or the display of the Setup wizard on the next server startup.

The checksum includes:

  • Effective properties from autoconfig appProperties key

  • Effective properties from autoconfig datasourceProperties key

  • File names from effective autoconfig seeds key

  • All properties in the conf/app.properties file

  • All properties in the conf/datasource.properties file

Properties from dbMigrationProperties are not included in the checksum.

Application Security performs the complete automatic configuration only if it is not fully configured. Application Security performs lightweight auto-configuration only if the checksums do not match, but it is otherwise already configured.

Lightweight auto-configuration skips database migration (regardless of the settings in the autoconfig file) and it skips the initial internal bundle seeding. The seeding of bundles provided by the autoconfig seeds key is still performed.