Adding Trusted Certificates

Connection from Fortify Static Code Analyzer to other Fortify software products and external systems might require communication over HTTPS. Some examples include:

• Fortify Static Code Analyzer by default requires an HTTPS connection to communicate with the LIM server for license management.

  The property com.fortify.sca.lim.RequireTrustedSSLCert determines whether the connection with the LIM server requires a trusted SSL certificate. For more information about this property, see LIM License Properties.

• The fortifyupdate command-line tool uses an HTTPS connection either automatically during a Windows system installation or manually (see Manually Installing Fortify Software Security Content) to update Fortify security content.

• Fortify Static Code Analyzer configured as a Fortify ScanCentral SAST sensor uses an HTTPS connection to communicate with the Controller.

When using HTTPS, Fortify Static Code Analyzer and its applications will by default apply standard checks to the presented SSL server certificate, including a check to determine if the certificate is trusted. If your organization runs its own certificate authority (CA) and Fortify Static Code Analyzer needs to trust connections where the server presents a certificate issued by this CA, you must configure Fortify Static Code Analyzer to trust the CA. Otherwise, the use of HTTPS connections might fail.

You must add the trusted certificate of the CA to the Fortify Static Code Analyzer keystore. The Fortify Static Code Analyzer keystore is in the <sca_install_dir>/jre/lib/security/cacerts file. You can use the keytool command to add the trusted certificate to the keystore.

To add a trusted certificate to the Fortify Static Code Analyzer keystore:

1. Open a command prompt, and then run the following command:

   <sca_install_dir>/jre/bin/keytool -importcert -alias <alias_name> -cacerts -file <cert_file> 

   where:

   • <alias_name> is a unique name for the certificate you are adding.

   • <cert_file> is the name of the file containing the trusted root certificate in PEM or DER format.

2. Enter the keystore password.

   Note: The default password is changeit.

3. When prompted to trust this certificate, select yes.